GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-21 14:00:17 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 232,89GB Running: 99dx2k74.exe; Driver: C:\Users\Kasia\AppData\Local\Temp\ugddqpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x9253DAA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9253E57E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x9254A5C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x9254A614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x9254A7AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x9254A536] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8FD806D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9254A57E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x9253EAB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x9254A768] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9253F36C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9253DB06] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x92542B40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x9253D6F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8FD807B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x9253DB6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x92542F36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9253FE54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x9254A5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x9254A636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x9254A7D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x9254A55C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9254243A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x9254A6E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x9254A5A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x92542822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x9254A78C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8FD80556] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x9253FCC8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x9253F81E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9253DBD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9253DC38] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8FD808AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x9253D78C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9253D95E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x9253D8EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9253F536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x9253F698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9253D9E6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8FD80624] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x9253F1C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x9253DC9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x9253E5DA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x9253ECD0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 830AE758 4 Bytes [A0, DA, 53, 92] .text ntkrnlpa.exe!KeSetEvent + 191 830AE7DC 4 Bytes [7E, E5, 53, 92] {JLE 0xffffffe7; PUSH EBX; XCHG EDX, EAX} .text ntkrnlpa.exe!KeSetEvent + 1D1 830AE81C 8 Bytes [C8, A5, 54, 92, 14, A6, 54, ...] {ENTER 0x54a5, 0x92; ADC AL, 0xa6; PUSH ESP; XCHG EDX, EAX} .text ntkrnlpa.exe!KeSetEvent + 1DD 830AE828 4 Bytes [AE, A7, 54, 92] {SCASB ; CMPSD ; PUSH ESP; XCHG EDX, EAX} .text ntkrnlpa.exe!KeSetEvent + 1F5 830AE840 4 Bytes [36, A5, 54, 92] {MOVS DWORD [ES:EDI], DWORD [SS:ESI]; PUSH ESP; XCHG EDX, EAX} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8323C00F 4 Bytes CALL 92540517 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8323FC83 4 Bytes CALL 9254052D \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B555480, 0x3C939, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B596900, 0x3CA, 0x48000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F201000, 0x1FB0FA, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[156] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[784] KERNEL32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\wininit.exe[844] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[856] KERNEL32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\services.exe[888] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2036] kernel32.dll!SetUnhandledExceptionFilter 76BDA9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2036] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\WLANExt.exe[2044] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2060] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[2124] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[2180] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[2368] kernel32.dll!SetUnhandledExceptionFilter 76BDA9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2368] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2372] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\TODDSrv.exe[2404] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2444] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2460] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text ... .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateFile + 6 77D1426A 4 Bytes [28, 50, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateFile + B 77D1426F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateKey + 6 77D142AA 4 Bytes [68, 51, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateKey + B 77D142AF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateMutant + 6 77D142DA 4 Bytes [28, 52, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateMutant + B 77D142DF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateSection + 6 77D1435A 4 Bytes [68, 52, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtCreateSection + B 77D1435F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtMapViewOfSection + 6 77D149BA 4 Bytes [A8, 54, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtMapViewOfSection + B 77D149BF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenFile + 6 77D14A4A 4 Bytes [68, 50, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenFile + B 77D14A4F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenKey + 6 77D14A7A 4 Bytes [A8, 51, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenKey + B 77D14A7F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenMutant + 6 77D14A9A 4 Bytes CALL 76D150F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenMutant + B 77D14A9F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenProcess + 6 77D14ACA 4 Bytes [28, 53, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenProcess + B 77D14ACF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenProcessToken + 6 77D14ADA 4 Bytes [68, 53, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenProcessToken + B 77D14ADF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenProcessTokenEx + 6 77D14AEA 4 Bytes [28, 54, 06, 00] {SUB [ESI+EAX+0x0], DL} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenProcessTokenEx + B 77D14AEF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenSection + 6 77D14AFA 4 Bytes [A8, 52, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenSection + B 77D14AFF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenThread + 6 77D14B3A 4 Bytes CALL 76D15191 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenThread + B 77D14B3F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenThreadToken + 6 77D14B4A 4 Bytes CALL 76D151A2 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenThreadToken + B 77D14B4F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenThreadTokenEx + 6 77D14B5A 4 Bytes [68, 54, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtOpenThreadTokenEx + B 77D14B5F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtQueryAttributesFile + 6 77D14BEA 4 Bytes [A8, 50, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtQueryAttributesFile + B 77D14BEF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtQueryFullAttributesFile + 6 77D14C9A 4 Bytes CALL 76D152EF .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtQueryFullAttributesFile + B 77D14C9F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtSetInformationFile + 6 77D1517A 4 Bytes [28, 51, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtSetInformationFile + B 77D1517F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtSetInformationThread + 6 77D151CA 4 Bytes [A8, 53, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtSetInformationThread + B 77D151CF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtUnmapViewOfSection + 6 77D1546A 4 Bytes CALL 76D15AC3 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ntdll.dll!NtUnmapViewOfSection + B 77D1546F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] kernel32.dll!CreateProcessW 76BB1BF3 5 Bytes JMP 000800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] kernel32.dll!CreateProcessA 76BB1C28 5 Bytes JMP 000800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] kernel32.dll!OpenEventW 76BCC033 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] kernel32.dll!CreateEventW 76BFB93E 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!DeleteObject 76365A37 5 Bytes JMP 000B01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetDeviceCaps 7636617F 5 Bytes JMP 000B03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SelectObject 763662A0 5 Bytes JMP 000B05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetTextColor 7636666B 5 Bytes JMP 000B0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetBkMode 76366716 5 Bytes JMP 000B08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!DeleteDC 763668CD 5 Bytes JMP 000B0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetCurrentObject 76366B58 5 Bytes JMP 000B0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetStretchBltMode 76367206 5 Bytes JMP 000B06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SaveDC 763675BA 5 Bytes JMP 000B0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!RestoreDC 76367675 5 Bytes JMP 000B0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!StretchDIBits 763678CF 5 Bytes JMP 000B0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!ExtSelectClipRgn 763679F8 5 Bytes JMP 000B02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SelectClipRgn 76367AF9 5 Bytes JMP 000B05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!MoveToEx 76367C33 5 Bytes JMP 000B0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!Rectangle 76367EA9 5 Bytes JMP 000B09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextAlign 763682E0 5 Bytes JMP 000B0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetTextAlign 763685CB 5 Bytes JMP 000B09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!ExtTextOutW 7636872B 5 Bytes JMP 000B0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextMetricsW 76368A81 5 Bytes JMP 000B0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!IntersectClipRect 76368B64 5 Bytes JMP 000B03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetClipBox 76369071 5 Bytes JMP 000B0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetICMMode 763694E7 5 Bytes JMP 000B0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!CreateDCW 7636A91D 5 Bytes JMP 000B00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!CreateDCA 7636AA49 5 Bytes JMP 000B00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!CreateICW 7636B2E9 5 Bytes JMP 000B0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextFaceW 7636B637 5 Bytes JMP 000B0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetFontData 7636BA6C 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetFontData 7636BA6C 5 Bytes JMP 000B0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextExtentPoint32W 7636C01A 5 Bytes JMP 000B0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetWorldTransform 7636C46A 5 Bytes JMP 000B06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!LineTo 7636C65E 5 Bytes JMP 000B0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextMetricsA 7636CCEB 5 Bytes JMP 000B0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!ExtTextOutA 763700A5 5 Bytes JMP 000B0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextExtentPoint32A 76370E58 5 Bytes JMP 000B0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!ExtEscape 763722A7 5 Bytes JMP 000B02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!Escape 763727F1 5 Bytes JMP 000B0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!ResetDCW 76373132 5 Bytes JMP 000B0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!EndPage 7637375E 5 Bytes JMP 000B0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetPolyFillMode 763761D3 5 Bytes JMP 000B0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SetMiterLimit 763762E2 5 Bytes JMP 000B0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetTextFaceA 7637F489 5 Bytes JMP 000B0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!GetGlyphOutlineW 7638A537 5 Bytes JMP 000B0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!CreateScalableFontResourceW 7638C993 5 Bytes JMP 000B0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!AddFontResourceW 7638CD9B 5 Bytes JMP 000B0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!RemoveFontResourceW 7638D231 5 Bytes JMP 000B0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!AbortDoc 76392E7F 5 Bytes JMP 000B0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!EndDoc 76393293 5 Bytes JMP 000B01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!StartPage 7639337E 5 Bytes JMP 000B0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!StartDocW 76393E62 5 Bytes JMP 000B07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!BeginPath 7639461D 5 Bytes JMP 000B0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!SelectClipPath 76394674 5 Bytes JMP 000B0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!CloseFigure 763946CF 5 Bytes JMP 000B0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!EndPath 76394726 5 Bytes JMP 000B0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!StrokePath 76394958 5 Bytes JMP 000B07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!FillPath 763949E4 5 Bytes JMP 000B0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!PolylineTo 76394E4D 5 Bytes JMP 000B04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!PolyBezierTo 76394EDD 5 Bytes JMP 000B04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] GDI32.dll!PolyDraw 76394F8E 5 Bytes JMP 000B08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!SetCursor 765DD37D 5 Bytes JMP 000C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!RegisterClipboardFormatW 765DD6AC 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!RegisterClipboardFormatW 765DD6AC 5 Bytes JMP 000C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!ActivateKeyboardLayout 765E478C 5 Bytes JMP 000C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!IsWindowVisible 765E878A 7 Bytes JMP 000C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!MonitorFromWindow 765E88D4 4 Bytes JMP 000C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!MonitorFromWindow + 5 765E88D9 2 Bytes [CC, CC] {INT 3 ; INT 3 } .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!ScreenToClient 765E8C56 7 Bytes JMP 000C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClientRect 765E8F0D 7 Bytes JMP 000C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetParent 765E90AA 7 Bytes JMP 000C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!RegisterClipboardFormatA 765EA111 5 Bytes JMP 000C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!PostMessageW 765EA175 5 Bytes JMP 000C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!MapWindowPoints 765EA30D 5 Bytes JMP 000C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClipboardFormatNameA 765EA552 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetOpenClipboardWindow 765F26A6 5 Bytes JMP 000C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!SetClipboardViewer 765FBA2D 5 Bytes JMP 000C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!IsClipboardFormatAvailable 765FC2E3 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!CloseClipboard 765FC2F7 5 Bytes JMP 000C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!OpenClipboard 765FC31D 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetTopWindow 765FCE0A 7 Bytes JMP 000C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClipboardSequenceNumber 765FD8B7 5 Bytes JMP 000C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!ChangeClipboardChain 765FDF83 5 Bytes JMP 000C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!CountClipboardFormats 76600048 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClipboardOwner 766026EF 5 Bytes JMP 000C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!SetClipboardData 76616410 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!EnumClipboardFormats 76616D16 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!SetCursorPos 76616FB2 5 Bytes JMP 000C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClipboardData 7661715A 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClipboardFormatNameW 7661A99F 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!EmptyClipboard 7663398B 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetClipboardViewer 766339ED 5 Bytes JMP 000C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] USER32.dll!GetPriorityClipboardFormat 76633AEF 5 Bytes JMP 000C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ole32.dll!OleGetClipboard 764F74C9 5 Bytes JMP 000D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ole32.dll!OleSetClipboard 765211E3 5 Bytes JMP 000D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] ole32.dll!OleIsCurrentClipboard 7652A8F9 5 Bytes JMP 000D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!FreeContextBuffer 76202D83 5 Bytes JMP 000F00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!DeleteSecurityContext 76202F18 5 Bytes JMP 000F0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!FreeCredentialsHandle 76203598 5 Bytes JMP 000F0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!EncryptMessage 76203745 5 Bytes JMP 000F01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!DecryptMessage 76203813 5 Bytes JMP 000F0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!InitializeSecurityContextA 762087DF 5 Bytes JMP 000F0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!AcquireCredentialsHandleA 76208A43 5 Bytes JMP 000F0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!QueryContextAttributesA 76208E77 5 Bytes JMP 000F0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!ApplyControlToken 7620DE4F 5 Bytes JMP 000F01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[3648] Secur32.dll!QueryCredentialsAttributesA 7620E052 5 Bytes JMP 000F00B0 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3736] KERNEL32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe[3764] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] ntdll.dll!LdrUnloadDll 77CEB680 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] KERNEL32.dll!HeapSetInformation + 26 76BDA9B8 2 Bytes JMP 5DAD3A32 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] KERNEL32.dll!HeapSetInformation + 29 76BDA9BB 4 Bytes [EF, E6, EB, F9] {OUT DX, EAX; OUT 0xeb, AL; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] KERNEL32.dll!LockResource + C 76BF6BD3 7 Bytes JMP 5E4584D6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] KERNEL32.dll!VirtualAllocEx + 54 76BFB030 7 Bytes JMP 5E4584F9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] KERNEL32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3768] GDI32.dll!SetStretchBltMode + 256 7636745C 7 Bytes JMP 5E458457 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\wbem\wmiprvse.exe[3980] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\explorer.exe[5276] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Users\Kasia\Desktop\99dx2k74.exe[5364] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5444] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5444] USER32.dll!InSendMessageEx + 4C9 765DE7C8 7 Bytes JMP 5DD09931 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5444] USER32.dll!CreateWindowExW + AA 765E13AF 7 Bytes JMP 5DD099A2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5444] USER32.dll!GetWindowInfo 765E428E 5 Bytes JMP 5DD0D777 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5444] USER32.dll!SetMenuItemBitmaps + 71 765F14EE 7 Bytes JMP 5DD070E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe[5940] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[8068] kernel32.dll!GetBinaryTypeW + 70 76C0252F 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[888] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 001A0002 IAT C:\Windows\system32\services.exe[888] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 001A0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys ---- EOF - GMER 2.1 ----