GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-12 20:03:50 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-4 Hitachi_HDP725050GLA360 rev.GM4OA52A 465,76GB Running: efkerdrp.exe; Driver: C:\Users\janou\AppData\Local\Temp\awddykod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x94CF26E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x94CF2800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x94CF2010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x94CF24D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x94CF2300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x94CF23E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x94CF2120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x94CF2210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x94CF25E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E77A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB1212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82EB86EC 8 Bytes [E0, 26, CF, 94, 00, 28, CF, ...] {LOOPNZ 0x28; IRET ; XCHG ESP, EAX; ADD [EAX], CH; IRET ; XCHG ESP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82EB8734 4 Bytes [10, 20, CF, 94] {ADC [EAX], AH; IRET ; XCHG ESP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 82EB8754 4 Bytes [D0, 24, CF, 94] {SHL BYTE [EDI+ECX*8], 0x1; XCHG ESP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 82EB89F4 8 Bytes [00, 23, CF, 94, E0, 23, CF, ...] {ADD [EBX], AH; IRET ; XCHG ESP, EAX; LOOPNZ 0x29; IRET ; XCHG ESP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82EB8A04 8 Bytes [20, 21, CF, 94, 10, 22, CF, ...] {AND [ECX], AH; IRET ; XCHG ESP, EAX; ADC [EDX], AH; IRET ; XCHG ESP, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9BA32000, 0x16640A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[772] ntdll.dll!LdrLoadDll 776622AE 5 Bytes JMP 67351EB1 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[772] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 756794E6 7 Bytes JMP 62A484D6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[772] kernel32.dll!QueryPerformanceCounter + 13 7567C4E5 7 Bytes JMP 62A484F9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[772] kernel32.dll!LoadAppInitDlls + 355 7567F5A6 7 Bytes JMP 620C3A32 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[772] GDI32.dll!GetViewportOrgEx + 26C 74FF884B 7 Bytes JMP 62A48457 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\Explorer.EXE[3000] SHELL32.dll!SHFileOperationW 75A89700 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4804] USER32.dll!RegisterMessagePumpHook + 2F1 75878B9E 7 Bytes JMP 622F9931 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4804] USER32.dll!IsDialogMessageW + 340 75884444 7 Bytes JMP 622F99A2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4804] USER32.dll!GetWindowInfo 75884B5E 5 Bytes JMP 622FD777 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4804] USER32.dll!ToUnicodeEx + 71 75892223 7 Bytes JMP 622F70E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateFile + 6 7764560E 4 Bytes [28, D8, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateFile + B 77645613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateKey + 6 7764564E 4 Bytes [68, D9, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateKey + B 77645653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateMutant + 6 7764568E 4 Bytes [68, DA, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateMutant + B 77645693 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateSection + 6 7764572E 4 Bytes [A8, DA, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtCreateSection + B 77645733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtMapViewOfSection + B 77645C73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenFile + 6 77645D1E 4 Bytes [68, D8, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenFile + B 77645D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenKey + 6 77645D4E 4 Bytes [A8, D9, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenKey + B 77645D53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenKeyEx + B 77645D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenMutant + 6 77645D9E 4 Bytes [28, DA, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenMutant + B 77645DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenProcess + 6 77645DCE 4 Bytes [68, DB, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenProcess + B 77645DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenProcessToken + 6 77645DDE 4 Bytes [A8, DB, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenProcessToken + B 77645DE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenProcessTokenEx + 6 77645DEE 4 Bytes [68, DC, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenProcessTokenEx + B 77645DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenSection + B 77645E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenThread + 6 77645E4E 4 Bytes [28, DB, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenThread + B 77645E53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenThreadToken + 6 77645E5E 4 Bytes [28, DC, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenThreadToken + B 77645E63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenThreadTokenEx + 6 77645E6E 4 Bytes [A8, DC, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtOpenThreadTokenEx + B 77645E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtQueryAttributesFile + 6 77645F7E 4 Bytes [A8, D8, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtQueryAttributesFile + B 77645F83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtQueryFullAttributesFile + B 77646033 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtSetInformationFile + 6 7764667E 4 Bytes [28, D9, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtSetInformationFile + B 77646683 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtSetInformationThread + B 776466E3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtUnmapViewOfSection + 6 776469FE 4 Bytes [28, DD, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ntdll.dll!NtUnmapViewOfSection + B 77646A03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] kernel32.dll!CreateProcessW 7563204D 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] kernel32.dll!CreateProcessA 75632082 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!ActivateKeyboardLayout 75878203 5 Bytes JMP 000C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!ScreenToClient 7587A506 7 Bytes JMP 000C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!RegisterClipboardFormatA 7587C091 5 Bytes JMP 000C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!RegisterClipboardFormatW 7587DF8D 5 Bytes JMP 000C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!SetCursor 75883075 5 Bytes JMP 000C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!MonitorFromWindow 75883622 7 Bytes JMP 000C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!PostMessageW 7588447B 5 Bytes JMP 000C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!IsWindowVisible 75884D69 7 Bytes JMP 000C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClientRect 758854DD 7 Bytes JMP 000C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!MapWindowPoints 75885CAA 5 Bytes JMP 000C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetParent 75886029 7 Bytes JMP 000C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!EmptyClipboard 7589290C 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!SetClipboardData 75892962 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClipboardData 75892BA7 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClipboardFormatNameW 75895FD2 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!SetClipboardViewer 75896FF6 5 Bytes JMP 000C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClipboardFormatNameA 7589700A 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!ChangeClipboardChain 758A147C 5 Bytes JMP 000C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetTopWindow 758A24D9 7 Bytes JMP 000C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!CloseClipboard 758A446C 5 Bytes JMP 000C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!OpenClipboard 758A447E 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!IsClipboardFormatAvailable 758A44FF 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClipboardSequenceNumber 758A4513 5 Bytes JMP 000C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClipboardOwner 758A4525 5 Bytes JMP 000C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!CountClipboardFormats 758A470A 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!EnumClipboardFormats 758A47EC 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetOpenClipboardWindow 758A480B 5 Bytes JMP 000C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!SetCursorPos 758BC1B0 5 Bytes JMP 000C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetClipboardViewer 758D4AF7 5 Bytes JMP 000C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] user32.DLL!GetPriorityClipboardFormat 758D4BF9 5 Bytes JMP 000C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!DeleteObject 74FF5F14 5 Bytes JMP 000D01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SelectObject 74FF6640 5 Bytes JMP 000D05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetTextColor 74FF6906 5 Bytes JMP 000D0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetBkMode 74FF69B1 5 Bytes JMP 000D08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!DeleteDC 74FF6EAA 5 Bytes JMP 000D0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetDeviceCaps 74FF6F7F 5 Bytes JMP 000D03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!ExtSelectClipRgn 74FF7114 5 Bytes JMP 000D02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SelectClipRgn 74FF7242 5 Bytes JMP 000D05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetStretchBltMode 74FF7705 5 Bytes JMP 000D06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetCurrentObject 74FF7917 5 Bytes JMP 000D0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextMetricsW 74FF7B8F 5 Bytes JMP 000D0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextAlign 74FF7DAF 5 Bytes JMP 000D0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!IntersectClipRect 74FF7DFE 5 Bytes JMP 000D03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!ExtTextOutW 74FF8192 5 Bytes JMP 000D0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetTextAlign 74FF828E 5 Bytes JMP 000D09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetClipBox 74FF8525 5 Bytes JMP 000D0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!MoveToEx 74FF8C21 5 Bytes JMP 000D0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!StretchDIBits 74FFA53E 5 Bytes JMP 000D0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!RestoreDC 74FFA67B 5 Bytes JMP 000D0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SaveDC 74FFA74B 5 Bytes JMP 000D0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextExtentPoint32W 74FFB4B5 5 Bytes JMP 000D0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextFaceW 74FFB73A 2 Bytes JMP 000D0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextFaceW + 3 74FFB73D 2 Bytes [0D, 8B] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetFontData 74FFBCC4 5 Bytes JMP 000D0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetWorldTransform 74FFC90A 5 Bytes JMP 000D06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!CreateDCA 74FFCCA9 5 Bytes JMP 000D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!CreateDCW 74FFCF79 5 Bytes JMP 000D00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!CreateICW 74FFCFD0 5 Bytes JMP 000D0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextMetricsA 74FFD0F2 5 Bytes JMP 000D0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!Rectangle 74FFF1FF 5 Bytes JMP 000D09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!LineTo 74FFF59B 5 Bytes JMP 000D0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetICMMode 74FFFAA4 5 Bytes JMP 000D0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!ExtTextOutA 75000D20 5 Bytes JMP 000D0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextExtentPoint32A 7500117F 5 Bytes JMP 000D0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!ExtEscape 75002D49 5 Bytes JMP 000D02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!Escape 75003400 5 Bytes JMP 000D0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!ResetDCW 75003A9B 5 Bytes JMP 000D0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!EndPage 750040DA 5 Bytes JMP 000D0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetPolyFillMode 750067E1 5 Bytes JMP 000D0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SetMiterLimit 7500699D 5 Bytes JMP 000D0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetTextFaceA 75010D22 5 Bytes JMP 000D0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!GetGlyphOutlineW 7501C2DA 5 Bytes JMP 000D0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!CreateScalableFontResourceW 7501E937 5 Bytes JMP 000D0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!AddFontResourceW 7501ED33 5 Bytes JMP 000D0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!RemoveFontResourceW 7501F229 5 Bytes JMP 000D0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!AbortDoc 75024E29 5 Bytes JMP 000D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!EndDoc 75025270 5 Bytes JMP 000D01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!StartPage 7502535B 5 Bytes JMP 000D0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!StartDocW 75025D76 5 Bytes JMP 000D07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!BeginPath 7502651D 5 Bytes JMP 000D0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!SelectClipPath 75026574 5 Bytes JMP 000D0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!CloseFigure 750265CF 5 Bytes JMP 000D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!EndPath 75026626 5 Bytes JMP 000D0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!StrokePath 75026859 5 Bytes JMP 000D07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!FillPath 750268E6 5 Bytes JMP 000D0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!PolylineTo 75026D54 5 Bytes JMP 000D04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!PolyBezierTo 75026DE5 5 Bytes JMP 000D04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] GDI32.dll!PolyDraw 75026E97 5 Bytes JMP 000D08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ole32.dll!OleSetClipboard 75530045 5 Bytes JMP 001F0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ole32.dll!OleIsCurrentClipboard 755336B2 5 Bytes JMP 001F0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[4952] ole32.dll!OleGetClipboard 7555FDCD 5 Bytes JMP 001F00B0 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 1471412546 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30377556 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 1471568547 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30377556 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3002535115-3819018214-1563540920-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 1478900559 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3002535115-3819018214-1563540920-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30377556 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3002535115-3819018214-1563540920-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 1479212560 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3002535115-3819018214-1563540920-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30377556 ---- EOF - GMER 2.1 ----