GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-18 21:51:49 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9160414ASG rev.DEC5 149,05GB Running: 5qrsmc6r.exe; Driver: C:\Users\oem\AppData\Local\Temp\uwldapow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAddBootEntry [0x9381DACC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9381E5AA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEvent [0x9382A692] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEventPair [0x9382A6DE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x9382A878] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateMutant [0x9382A600] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwCreateSection [0x938D4426] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9382A648] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThread [0x9381EAE0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateTimer [0x9382A832] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9381F398] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9381DB32] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDuplicateObject [0x93822BE4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwLoadDriver [0x9381D71E] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwMapViewOfSection [0x938D4506] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x9381DB98] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x93822FDA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9381FEDE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEvent [0x9382A6BC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEventPair [0x9382A700] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x9382A89C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenMutant [0x9382A626] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenProcess [0x938224DE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSection [0x9382A7B0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x9382A670] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenThread [0x938228C6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenTimer [0x9382A856] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x938D42AA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueryObject [0x9381FCF4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueueApcThread [0x9381F84A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9381DBFE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9381DC64] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwSetContextThread [0x938D4602] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x9381D7B8] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9381D98A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwShutdownSystem [0x9381D918] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9381F562] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendThread [0x9381F6C4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9381DA12] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwTerminateProcess [0x938D4378] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwTerminateThread [0x9381F1F2] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwVdmControl [0x9381DCCA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x9381E606] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x9381ECFC] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 830E1758 4 Bytes [CC, DA, 81, 93] .text ntkrnlpa.exe!KeSetEvent + 191 830E17DC 4 Bytes [AA, E5, 81, 93] {STOSB ; IN EAX, 0x81; XCHG EBX, EAX} .text ntkrnlpa.exe!KeSetEvent + 1D1 830E181C 8 Bytes [92, A6, 82, 93, DE, A6, 82, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 830E1828 4 Bytes [78, A8, 82, 93] .text ntkrnlpa.exe!KeSetEvent + 1F5 830E1840 4 Bytes [00, A6, 82, 93] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8326F00F 4 Bytes CALL 938205C5 \??\C:\Windows\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 83272C83 4 Bytes CALL 938205DB \??\C:\Windows\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[592] KERNEL32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Windows\system32\wininit.exe[636] kernel32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Windows\system32\csrss.exe[648] KERNEL32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[676] kernel32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Windows\system32\services.exe[680] kernel32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text ... .text C:\Program Files\Internet Explorer\iexplore.exe[4628] ntdll.dll!LdrLoadDll 77159378 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4628] ntdll.dll!LdrUnloadDll 7716B680 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[4628] KERNEL32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!EnableWindow 76DBCD8B 5 Bytes JMP 6C029ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!DialogBoxParamW 76DE10B0 5 Bytes JMP 6BF8189B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!DialogBoxIndirectParamW 76DE2EF5 5 Bytes JMP 6C1791B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!DialogBoxParamA 76DF8152 5 Bytes JMP 6C179151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!DialogBoxIndirectParamA 76DF847D 5 Bytes JMP 6C17921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!MessageBoxIndirectA 76E0D4D9 5 Bytes JMP 6C1790D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!MessageBoxIndirectW 76E0D5D3 5 Bytes JMP 6C17905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!MessageBoxExA 76E0D639 5 Bytes JMP 6C178FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4628] USER32.dll!MessageBoxExW 76E0D65D 5 Bytes JMP 6C178F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] ntdll.dll!LdrLoadDll 77159378 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4680] ntdll.dll!LdrUnloadDll 7716B680 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[4680] KERNEL32.dll!CreateThread 75C4CB0E 5 Bytes JMP 6BFE75DB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] KERNEL32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CreateDialogParamW 76DB72A2 5 Bytes JMP 6C179520 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!GetAsyncKeyState 76DB863C 5 Bytes JMP 6BFCDED5 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!SetWindowsHookExW 76DB87AD 5 Bytes JMP 6C0225CC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CallNextHookEx 76DB8E3B 5 Bytes JMP 6C04801F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!UnhookWindowsHookEx 76DB98DB 5 Bytes JMP 6C06ED28 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!EnableWindow 76DBCD8B 5 Bytes JMP 6C029ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!DefWindowProcA 76DBDB88 7 Bytes JMP 6BFE9805 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CreateWindowExA 76DBDC2A 5 Bytes JMP 6BFF3627 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CreateWindowExW 76DC1305 5 Bytes JMP 6C05040F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!GetKeyState 76DC8CB1 5 Bytes JMP 6BFCDDAB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!DefWindowProcW 76DD03B4 7 Bytes JMP 6C048082 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!IsDialogMessageW 76DD0745 5 Bytes JMP 6C179C9E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CreateDialogParamA 76DD17AA 5 Bytes JMP 6C1794E8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!IsDialogMessage 76DD1847 5 Bytes JMP 6C179C76 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CreateDialogIndirectParamA 76DD26F1 5 Bytes JMP 6C179558 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!CreateDialogIndirectParamW 76DD9A62 5 Bytes JMP 6C179590 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!SetKeyboardState 76DE0987 5 Bytes JMP 6C17A565 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!DialogBoxParamW 76DE10B0 5 Bytes JMP 6BF8189B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!DialogBoxIndirectParamW 76DE2EF5 5 Bytes JMP 6C1791B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!SendInput 76DE2F75 5 Bytes JMP 6C17A50D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!EndDialog 76DE326E 5 Bytes JMP 6C179F4A C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!SetCursorPos 76DF6FB2 5 Bytes JMP 6C17A5E6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!DialogBoxParamA 76DF8152 5 Bytes JMP 6C179151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!DialogBoxIndirectParamA 76DF847D 5 Bytes JMP 6C17921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!MessageBoxIndirectA 76E0D4D9 5 Bytes JMP 6C1790D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!MessageBoxIndirectW 76E0D5D3 5 Bytes JMP 6C17905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!MessageBoxExA 76E0D639 5 Bytes JMP 6C178FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!MessageBoxExW 76E0D65D 5 Bytes JMP 6C178F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] USER32.dll!keybd_event 76E0D972 5 Bytes JMP 6C17A4CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4680] SHELL32.dll!SHRestricted + D95 761489A8 4 Bytes [CF, 01, A0, 67] .text C:\Program Files\Internet Explorer\iexplore.exe[4680] SHELL32.dll!SHRestricted + D9D 761489B0 8 Bytes [E0, 61, 9F, 67, 79, F7, 9F, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4680] ole32.dll!OleLoadFromStream 77001E80 5 Bytes JMP 6C1799A8 C:\Windows\system32\IEFRAME.dll .text C:\Windows\system32\Macromed\Flash\FlashUtil32_12_0_0_44_ActiveX.exe[4996] kernel32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[5028] kernel32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Users\oem\Desktop\5qrsmc6r.exe[5476] kernel32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[5644] ntdll.dll!LdrLoadDll 77159378 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[5644] ntdll.dll!LdrUnloadDll 7716B680 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[5644] KERNEL32.dll!CreateThread 75C4CB0E 5 Bytes JMP 6BFE75DB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] KERNEL32.dll!GetBinaryTypeW + 70 75C52447 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateDialogParamW 76DB72A2 5 Bytes JMP 6C179520 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!GetAsyncKeyState 76DB863C 5 Bytes JMP 6BFCDED5 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!SetWindowsHookExW 76DB87AD 5 Bytes JMP 6C0225CC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CallNextHookEx 76DB8E3B 5 Bytes JMP 6C04801F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!UnhookWindowsHookEx 76DB98DB 5 Bytes JMP 6C06ED28 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!EnableWindow 76DBCD8B 5 Bytes JMP 6C029ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DefWindowProcA 76DBDB88 7 Bytes JMP 6BFE9805 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateWindowExA 76DBDC2A 5 Bytes JMP 6BFF3627 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateWindowExW 76DC1305 5 Bytes JMP 6C05040F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!GetKeyState 76DC8CB1 5 Bytes JMP 6BFCDDAB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DefWindowProcW 76DD03B4 7 Bytes JMP 6C048082 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!IsDialogMessageW 76DD0745 5 Bytes JMP 6C179C9E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateDialogParamA 76DD17AA 5 Bytes JMP 6C1794E8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!IsDialogMessage 76DD1847 5 Bytes JMP 6C179C76 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateDialogIndirectParamA 76DD26F1 5 Bytes JMP 6C179558 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateDialogIndirectParamW 76DD9A62 5 Bytes JMP 6C179590 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!SetKeyboardState 76DE0987 5 Bytes JMP 6C17A565 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxParamW 76DE10B0 5 Bytes JMP 6BF8189B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxIndirectParamW 76DE2EF5 5 Bytes JMP 6C1791B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!SendInput 76DE2F75 5 Bytes JMP 6C17A50D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!EndDialog 76DE326E 5 Bytes JMP 6C179F4A C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!SetCursorPos 76DF6FB2 5 Bytes JMP 6C17A5E6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxParamA 76DF8152 5 Bytes JMP 6C179151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxIndirectParamA 76DF847D 5 Bytes JMP 6C17921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxIndirectA 76E0D4D9 5 Bytes JMP 6C1790D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxIndirectW 76E0D5D3 5 Bytes JMP 6C17905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxExA 76E0D639 5 Bytes JMP 6C178FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxExW 76E0D65D 5 Bytes JMP 6C178F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!keybd_event 76E0D972 5 Bytes JMP 6C17A4CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5644] SHELL32.dll!SHRestricted + D95 761489A8 4 Bytes [CF, 01, A0, 67] .text C:\Program Files\Internet Explorer\iexplore.exe[5644] SHELL32.dll!SHRestricted + D9D 761489B0 8 Bytes [E0, 61, 9F, 67, 79, F7, 9F, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5644] ole32.dll!OleLoadFromStream 77001E80 5 Bytes JMP 6C1799A8 C:\Windows\system32\IEFRAME.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[680] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000E0002 IAT C:\Windows\system32\services.exe[680] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000E0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234de5fe7e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556e18b19 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556e18b19@e063e5353898 0x4A 0x1E 0x97 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556e197e8 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\70f1a108a95f Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\00234de5fe7e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002556e18b19 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002556e18b19@cc051b28130e 0x5C 0x2D 0x13 0x5D ... Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002556e18b19@e063e5353898 0x4A 0x1E 0x97 0x9F ... Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002556e197e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\70f1a108a95f (not active ControlSet) ---- EOF - GMER 2.1 ----