GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-10 07:33:00 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.01.0 298.09GB Running: 63mcyubd.exe; Driver: C:\Users\webasia\AppData\Local\Temp\fgliyfow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x94A1AAA0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0x8F19E464] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcConnectPort [0x8F19CAC2] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcCreatePort [0x8F19C594] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0x8F19D95E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwConnectPort [0x8F19C682] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x94A275C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x94A27614] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateFile [0x8F1A33A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x94A277AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x94A27536] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreatePort [0x8F19C4A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateSection [0x8F19A4BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x94A2757E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThread [0x8F19B662] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x94A27768] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDebugActiveProcess [0x8F19BD54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x94A1AB06] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x8F148D90] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x8F14BAB0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x8F14BB50] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDuplicateObject [0x8F19C362] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwLoadDriver [0x8F19D386] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x94BAA7B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x94A1AB6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x94A1FF36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x94A1CE54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x94A275F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x94A27636] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenFile [0x8F1A3724] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x94A277D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x94A2755C] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x8F14A310] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenSection [0x8F19A77C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x94A275A6] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenThread [0x8F19B8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x94A2778C] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0x8F19D710] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x94A1CCC8] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x8F14BDD0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwQueueApcThread [0x8F19DA7A] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x8F14BC10] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x8F14BCB0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestPort [0x8F19CCE6] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0x8F19D04E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRestoreKey [0x8F1A319E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwResumeThread [0x8F19C102] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSecureConnectPort [0x8F19C8A4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x94A1ABD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x94A1AC38] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetContextThread [0x8F19BBFC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x8F148F30] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetSystemInformation [0x8F19E118] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x94A1A95E] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x8F14B970] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwShutdownSystem [0x8F19D2C0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendProcess [0x8F19C234] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendThread [0x8F19BFAC] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSystemDebugControl [0x8F19BE72] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateProcess [0x8F19B4A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateThread [0x8F19BA94] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwUnloadDriver [0x8F19D54E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x94A1AC9E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0x8F19D83A] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThreadEx [0x8F19B796] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82CF2758 4 Bytes [A0, AA, A1, 94] .text ntkrnlpa.exe!KeSetEvent + 131 82CF277C 4 Bytes [64, E4, 19, 8F] .text ntkrnlpa.exe!KeSetEvent + 13D 82CF2788 8 Bytes [C2, CA, 19, 8F, 94, C5, 19, ...] .text ntkrnlpa.exe!KeSetEvent + 191 82CF27DC 4 Bytes [5E, D9, 19, 8F] .text ntkrnlpa.exe!KeSetEvent + 1C1 82CF280C 4 Bytes JMP 9C95AA93 .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82E8000F 4 Bytes CALL 94A1D517 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82E83C83 4 Bytes CALL 94A1D52D \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B35A000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B3A3000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C03000, 0x1E73A0, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\afwServ.exe[276] kernel32.dll!SetUnhandledExceptionFilter 7646A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\afwServ.exe[276] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\Dwm.exe[396] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[672] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\Explorer.EXE[768] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[808] KERNEL32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text ... .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] ntdll.dll!KiUserApcDispatcher 771B5BB8 5 Bytes JMP 01283500 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] kernel32.dll!LoadLibraryExW + 173 764694E7 4 Bytes JMP 71AB000A .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] WS2_32.dll!GetAddrInfoW 75813D12 5 Bytes JMP 71A10022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] WS2_32.dll!getaddrinfo 7581418A 5 Bytes JMP 71A50022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] WS2_32.dll!GetAddrInfoExW 7582288D 5 Bytes JMP 719D0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1332] WS2_32.dll!gethostbyname 758262D4 5 Bytes JMP 71AE0022 .text C:\Windows\System32\svchost.exe[1380] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[1420] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\System32\svchost.exe[1456] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\System32\svchost.exe[1484] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[1496] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2012] kernel32.dll!SetUnhandledExceptionFilter 7646A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2012] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\TODDSrv.exe[2152] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2196] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2308] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2408] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] ntdll.dll!KiUserApcDispatcher 771B5BB8 5 Bytes JMP 003ECFB0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] kernel32.dll!LoadLibraryExW + 173 764694E7 4 Bytes JMP 71AC000A .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] USER32.dll!InSendMessageEx + 3B1 76BAE6B0 6 Bytes JMP 71AE001E .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] WS2_32.dll!GetAddrInfoW 75813D12 5 Bytes JMP 719E0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] WS2_32.dll!getaddrinfo 7581418A 5 Bytes JMP 71A20022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] WS2_32.dll!GetAddrInfoExW 7582288D 5 Bytes JMP 719A0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2576] WS2_32.dll!gethostbyname 758262D4 5 Bytes JMP 71A60022 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[2596] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2608] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2636] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2692] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2784] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3428] kernel32.dll!SetUnhandledExceptionFilter 7646A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3428] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3488] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe[3508] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[3588] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[3616] KERNEL32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text ... .text C:\Program Files\Internet Explorer\iexplore.exe[6564] ntdll.dll!LdrLoadDll 77179378 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[6564] ntdll.dll!LdrUnloadDll 7718B680 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[6564] ntdll.dll!NtMapViewOfSection 771B49B4 5 Bytes JMP 719F0022 .text C:\Program Files\Internet Explorer\iexplore.exe[6564] ntdll.dll!KiUserApcDispatcher + E 771B5BC6 5 Bytes JMP 6BDC98D0 c:\program files\trusteer\rapport\bin\rooksdol.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] KERNEL32.dll!QueueUserWorkItem 76459114 6 Bytes PUSH 710B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] KERNEL32.dll!LoadLibraryExW + 173 764694E7 4 Bytes JMP 71AC000A .text C:\Program Files\Internet Explorer\iexplore.exe[6564] KERNEL32.dll!SetUnhandledExceptionFilter 7646A9BD 6 Bytes PUSH 71A30022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] KERNEL32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[6564] GDI32.dll!BitBlt 765370A6 6 Bytes PUSH 71810022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!DdeInitializeW 76BA7921 6 Bytes PUSH 71730022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!EnableWindow 76BACD8B 5 Bytes JMP 68319ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!RegisterClassExW 76BADA30 6 Bytes PUSH 71AE0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!CreateWindowExA 76BADC2A 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!RegisterClassA 76BADF42 6 Bytes PUSH 71890022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!RegisterClassW 76BAE1AB 6 Bytes PUSH 71A60022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!CreateWindowExW 76BB1305 6 Bytes JMP 7196000A .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!TranslateMessage 76BC01AD 6 Bytes PUSH 71690022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!PeekMessageW 76BC045A 6 Bytes PUSH 719B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!DialogBoxParamW 76BD10B0 5 Bytes JMP 682718B3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!DialogBoxIndirectParamW 76BD2EF5 5 Bytes JMP 684691B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!GetClipboardData 76BE715A 6 Bytes PUSH 716F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!DialogBoxParamA 76BE8152 5 Bytes JMP 68469151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!DialogBoxIndirectParamA 76BE847D 5 Bytes JMP 6846921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!MessageBoxIndirectA 76BFD4D9 5 Bytes JMP 684690D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!MessageBoxIndirectW 76BFD5D3 5 Bytes JMP 6846905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!MessageBoxExA 76BFD639 5 Bytes JMP 68468FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] USER32.dll!MessageBoxExW 76BFD65D 5 Bytes JMP 68468F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6564] ole32.dll!CoCreateInstance 76AA9F3E 6 Bytes JMP 718E000A .text C:\Program Files\Internet Explorer\iexplore.exe[6564] ole32.dll!CoCreateInstanceEx 76AA9F81 5 Bytes JMP 717D0022 .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetCloseHandle 7703C664 6 Bytes PUSH 71490022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpAddRequestHeadersA 77042A3C 6 Bytes PUSH 71650022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetQueryDataAvailable 77043184 6 Bytes PUSH 712D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetOpenA 7704D5E0 6 Bytes PUSH 71350022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetConnectA 7706567E 6 Bytes PUSH 71450022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpOpenRequestA 77065761 6 Bytes PUSH 71610022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetConnectW 77065CFA 6 Bytes PUSH 71410022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpOpenRequestW 77065FEF 6 Bytes PUSH 715D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpSendRequestW 7706632D 6 Bytes PUSH 714D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetOpenW 7706C596 6 Bytes PUSH 71310022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetSetStatusCallback 7706C7AA 6 Bytes PUSH 71290022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetGetCookieExW 77072A75 6 Bytes PUSH 71390022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetGetCookieExA 77072B91 6 Bytes PUSH 713D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpSendRequestExW 7707F564 6 Bytes PUSH 71510022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!InternetWriteFile 7707F6C6 6 Bytes PUSH 71250022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpSendRequestA 7709525A 6 Bytes PUSH 71590022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WININET.dll!HttpSendRequestExA 770DECE5 6 Bytes PUSH 71550022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WS2_32.dll!connect 758140D9 5 Bytes JMP 71170022 .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WS2_32.dll!getaddrinfo 7581418A 5 Bytes JMP 71100022 .text C:\Program Files\Internet Explorer\iexplore.exe[6564] WS2_32.dll!GetAddrInfoExW 7582288D 5 Bytes JMP 711C0022 .text C:\Program Files\Internet Explorer\iexplore.exe[7164] ntdll.dll!LdrLoadDll 77179378 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[7164] ntdll.dll!LdrUnloadDll 7718B680 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[7164] ntdll.dll!NtMapViewOfSection 771B49B4 5 Bytes JMP 719F0022 .text C:\Program Files\Internet Explorer\iexplore.exe[7164] ntdll.dll!KiUserApcDispatcher + E 771B5BC6 5 Bytes JMP 6BDC98D0 c:\program files\trusteer\rapport\bin\rooksdol.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] KERNEL32.dll!QueueUserWorkItem 76459114 6 Bytes PUSH 710B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] KERNEL32.dll!LoadLibraryExW + 173 764694E7 4 Bytes JMP 71AC000A .text C:\Program Files\Internet Explorer\iexplore.exe[7164] KERNEL32.dll!SetUnhandledExceptionFilter 7646A9BD 6 Bytes PUSH 71A30022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] KERNEL32.dll!CreateThread 7648CBEE 5 Bytes JMP 682D75DB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] KERNEL32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[7164] GDI32.dll!BitBlt 765370A6 6 Bytes PUSH 71810022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CreateDialogParamW 76BA72A2 5 Bytes JMP 68469520 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DdeInitializeW 76BA7921 6 Bytes PUSH 71730022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!GetAsyncKeyState 76BA863C 5 Bytes JMP 682BDEC5 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!SetWindowsHookExW 76BA87AD 5 Bytes JMP 683125CC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CallNextHookEx 76BA8E3B 5 Bytes JMP 6833801F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!UnhookWindowsHookEx 76BA98DB 5 Bytes JMP 6835ED28 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!EnableWindow 76BACD8B 5 Bytes JMP 68319ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!RegisterClassExW 76BADA30 6 Bytes PUSH 71AE0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DefWindowProcA 76BADB88 7 Bytes JMP 682D9805 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CreateWindowExA 76BADC2A 6 Bytes JMP 682E3627 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!RegisterClassA 76BADF42 6 Bytes PUSH 71890022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!RegisterClassW 76BAE1AB 6 Bytes PUSH 71A60022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CreateWindowExW 76BB1305 6 Bytes JMP 7196000A .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!GetKeyState 76BB8CB1 5 Bytes JMP 682BDD9B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!TranslateMessage 76BC01AD 6 Bytes PUSH 71690022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DefWindowProcW 76BC03B4 7 Bytes JMP 68338082 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!PeekMessageW 76BC045A 6 Bytes PUSH 719B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!IsDialogMessageW 76BC0745 5 Bytes JMP 68469C9E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CreateDialogParamA 76BC17AA 5 Bytes JMP 684694E8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!IsDialogMessage 76BC1847 5 Bytes JMP 68469C76 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CreateDialogIndirectParamA 76BC26F1 5 Bytes JMP 68469558 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!CreateDialogIndirectParamW 76BC9A62 5 Bytes JMP 68469590 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!SetKeyboardState 76BD0987 5 Bytes JMP 6846A565 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DialogBoxParamW 76BD10B0 5 Bytes JMP 682718B3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DialogBoxIndirectParamW 76BD2EF5 5 Bytes JMP 684691B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!SendInput 76BD2F75 5 Bytes JMP 6846A50D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!EndDialog 76BD326E 5 Bytes JMP 68469F4A C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!SetCursorPos 76BE6FB2 5 Bytes JMP 6846A5E6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!GetClipboardData 76BE715A 6 Bytes PUSH 716F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DialogBoxParamA 76BE8152 5 Bytes JMP 68469151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!DialogBoxIndirectParamA 76BE847D 5 Bytes JMP 6846921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!MessageBoxIndirectA 76BFD4D9 5 Bytes JMP 684690D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!MessageBoxIndirectW 76BFD5D3 5 Bytes JMP 6846905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!MessageBoxExA 76BFD639 5 Bytes JMP 68468FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!MessageBoxExW 76BFD65D 5 Bytes JMP 68468F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] USER32.dll!keybd_event 76BFD972 5 Bytes JMP 6846A4CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] SHELL32.dll!SHRestricted + D95 759A88D8 4 Bytes [CF, 01, C0, 60] {IRET ; ADD EAX, EAX; PUSHA } .text C:\Program Files\Internet Explorer\iexplore.exe[7164] SHELL32.dll!SHRestricted + D9D 759A88E0 8 Bytes [E0, 61, BF, 60, 79, F7, BF, ...] {LOOPNZ 0x63; MOV EDI, 0xbff77960; PUSHA } .text C:\Program Files\Internet Explorer\iexplore.exe[7164] ole32.dll!OleLoadFromStream 76A71E80 5 Bytes JMP 684699A8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7164] ole32.dll!CoCreateInstanceEx 76AA9F81 5 Bytes JMP 717D0022 .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetCloseHandle 7703C664 6 Bytes PUSH 71490022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpAddRequestHeadersA 77042A3C 6 Bytes PUSH 71650022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetQueryDataAvailable 77043184 6 Bytes PUSH 712D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetOpenA 7704D5E0 6 Bytes PUSH 71350022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetConnectA 7706567E 6 Bytes PUSH 71450022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpOpenRequestA 77065761 6 Bytes PUSH 71610022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetConnectW 77065CFA 6 Bytes PUSH 71410022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpOpenRequestW 77065FEF 6 Bytes PUSH 715D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpSendRequestW 7706632D 6 Bytes PUSH 714D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetOpenW 7706C596 6 Bytes PUSH 71310022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetSetStatusCallback 7706C7AA 6 Bytes PUSH 71290022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetGetCookieExW 77072A75 6 Bytes PUSH 71390022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetGetCookieExA 77072B91 6 Bytes PUSH 713D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpSendRequestExW 7707F564 6 Bytes PUSH 71510022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!InternetWriteFile 7707F6C6 6 Bytes PUSH 71250022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpSendRequestA 7709525A 6 Bytes PUSH 71590022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WININET.dll!HttpSendRequestExA 770DECE5 6 Bytes PUSH 71550022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WS2_32.dll!connect 758140D9 5 Bytes JMP 71170022 .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WS2_32.dll!getaddrinfo 7581418A 5 Bytes JMP 71100022 .text C:\Program Files\Internet Explorer\iexplore.exe[7164] WS2_32.dll!GetAddrInfoExW 7582288D 5 Bytes JMP 711C0022 .text C:\Windows\system32\taskeng.exe[7420] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] .text C:\Users\webasia\Desktop\Downloads\OTL.exe[7456] kernel32.dll!GetBinaryTypeW + 70 7649252F 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[912] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00130002 IAT C:\Windows\system32\services.exe[912] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00130000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\tdx \Device\Tcp OAmon.sys AttachedDevice \Driver\tdx \Device\Tcp aswNdis2.sys Device \Driver\tdx \Device\RawIp6 OAmon.sys Device \Driver\tdx \Device\Tcp6 OAmon.sys Device \Driver\tdx \Device\Tdx OAmon.sys Device \Driver\tdx \Device\Udp OAmon.sys AttachedDevice \Driver\tdx \Device\Udp aswNdis2.sys Device \Driver\tdx \Device\RawIp OAmon.sys Device \Driver\tdx \Device\Udp6 OAmon.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 29136 ---- EOF - GMER 2.1 ----