GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-28 17:50:08 Windows 6.1.7600 Running: v0uvx82l.exe; Driver: H:\Users\Patryk\AppData\Local\Temp\awwdipoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 83C92589 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83CB7092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text H:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92401000, 0x341E0C, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text H:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1336] kernel32.dll!SetUnhandledExceptionFilter 763F3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text H:\Windows\system32\Dwm.exe[1664] kernel32.dll!CreateProcessW 763A202D 5 Bytes JMP 1003D20C H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] kernel32.dll!GetQueuedCompletionStatus 763D6C94 5 Bytes JMP 10040406 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] ole32.dll!CoGetClassObject 755DA394 5 Bytes JMP 10034CD2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!sendto 75E83AED 5 Bytes JMP 100408DD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!closesocket 75E83BED 5 Bytes JMP 1003EF54 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!WSARecvFrom 75E8418D 5 Bytes JMP 1004216B H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!recv 75E847DF 5 Bytes JMP 1003FE4D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!connect 75E848BE 5 Bytes JMP 1003EAA2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!WSASend 75E868A7 5 Bytes JMP 1003FA24 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!WSAConnect 75E8BB9B 5 Bytes JMP 1003EDDD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!recvfrom 75E8BF39 5 Bytes JMP 1004062F H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!WSARecv 75E8C29F 5 Bytes JMP 10041E6D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!send 75E8C4C8 5 Bytes JMP 1003F506 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!WSAGetOverlappedResult 75E8E860 5 Bytes JMP 100400E8 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WS2_32.dll!WSASendTo 75E9ADC4 5 Bytes JMP 10040E36 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\Dwm.exe[1664] WININET.dll!UnlockUrlCacheEntryFile 75DA5CDC 5 Bytes JMP 10042853 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] kernel32.dll!CreateProcessW 763A202D 5 Bytes JMP 1003D20C H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] kernel32.dll!GetQueuedCompletionStatus 763D6C94 5 Bytes JMP 10040406 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] ole32.dll!CoGetClassObject 755DA394 5 Bytes JMP 10034CD2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WININET.dll!UnlockUrlCacheEntryFile 75DA5CDC 5 Bytes JMP 10042853 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!sendto 75E83AED 5 Bytes JMP 100408DD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!closesocket 75E83BED 5 Bytes JMP 1003EF54 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!WSARecvFrom 75E8418D 5 Bytes JMP 1004216B H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!recv 75E847DF 5 Bytes JMP 1003FE4D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!connect 75E848BE 5 Bytes JMP 1003EAA2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!WSASend 75E868A7 5 Bytes JMP 1003FA24 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!WSAConnect 75E8BB9B 5 Bytes JMP 1003EDDD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!recvfrom 75E8BF39 5 Bytes JMP 1004062F H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!WSARecv 75E8C29F 5 Bytes JMP 10041E6D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!send 75E8C4C8 5 Bytes JMP 1003F506 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!WSAGetOverlappedResult 75E8E860 5 Bytes JMP 100400E8 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\Explorer.EXE[1692] WS2_32.dll!WSASendTo 75E9ADC4 5 Bytes JMP 10040E36 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] kernel32.dll!CreateProcessW 763A202D 5 Bytes JMP 1003D20C H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] kernel32.dll!GetQueuedCompletionStatus 763D6C94 5 Bytes JMP 10040406 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!sendto 75E83AED 5 Bytes JMP 100408DD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!closesocket 75E83BED 5 Bytes JMP 1003EF54 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!WSARecvFrom 75E8418D 5 Bytes JMP 1004216B H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!recv 75E847DF 5 Bytes JMP 1003FE4D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!connect 75E848BE 5 Bytes JMP 1003EAA2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!WSASend 75E868A7 5 Bytes JMP 1003FA24 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!WSAConnect 75E8BB9B 5 Bytes JMP 1003EDDD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!recvfrom 75E8BF39 5 Bytes JMP 1004062F H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!WSARecv 75E8C29F 5 Bytes JMP 10041E6D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!send 75E8C4C8 5 Bytes JMP 1003F506 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!WSAGetOverlappedResult 75E8E860 5 Bytes JMP 100400E8 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WS2_32.dll!WSASendTo 75E9ADC4 5 Bytes JMP 10040E36 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] ole32.dll!CoGetClassObject 755DA394 5 Bytes JMP 10034CD2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Program Files\Alwil Software\Avast5\AvastUI.exe[1852] WININET.dll!UnlockUrlCacheEntryFile 75DA5CDC 5 Bytes JMP 10042853 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] kernel32.dll!CreateProcessW 763A202D 5 Bytes JMP 1003D20C H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] kernel32.dll!GetQueuedCompletionStatus 763D6C94 5 Bytes JMP 10040406 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] ole32.dll!CoGetClassObject 755DA394 5 Bytes JMP 10034CD2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!sendto 75E83AED 5 Bytes JMP 100408DD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!closesocket 75E83BED 5 Bytes JMP 1003EF54 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!WSARecvFrom 75E8418D 5 Bytes JMP 1004216B H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!recv 75E847DF 5 Bytes JMP 1003FE4D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!connect 75E848BE 5 Bytes JMP 1003EAA2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!WSASend 75E868A7 5 Bytes JMP 1003FA24 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!WSAConnect 75E8BB9B 5 Bytes JMP 1003EDDD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!recvfrom 75E8BF39 5 Bytes JMP 1004062F H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!WSARecv 75E8C29F 5 Bytes JMP 10041E6D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!send 75E8C4C8 5 Bytes JMP 1003F506 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!WSAGetOverlappedResult 75E8E860 5 Bytes JMP 100400E8 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WS2_32.dll!WSASendTo 75E9ADC4 5 Bytes JMP 10040E36 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\system32\wbem\unsecapp.exe[3716] WININET.dll!UnlockUrlCacheEntryFile 75DA5CDC 5 Bytes JMP 10042853 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] kernel32.dll!CreateProcessW 763A202D 5 Bytes JMP 1003D20C H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] kernel32.dll!GetQueuedCompletionStatus 763D6C94 5 Bytes JMP 10040406 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] ole32.dll!CoGetClassObject 755DA394 5 Bytes JMP 10034CD2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!sendto 75E83AED 5 Bytes JMP 100408DD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!closesocket 75E83BED 5 Bytes JMP 1003EF54 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!WSARecvFrom 75E8418D 5 Bytes JMP 1004216B H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!recv 75E847DF 5 Bytes JMP 1003FE4D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!connect 75E848BE 5 Bytes JMP 1003EAA2 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!WSASend 75E868A7 5 Bytes JMP 1003FA24 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!WSAConnect 75E8BB9B 5 Bytes JMP 1003EDDD H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!recvfrom 75E8BF39 5 Bytes JMP 1004062F H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!WSARecv 75E8C29F 5 Bytes JMP 10041E6D H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!send 75E8C4C8 5 Bytes JMP 1003F506 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!WSAGetOverlappedResult 75E8E860 5 Bytes JMP 100400E8 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WS2_32.dll!WSASendTo 75E9ADC4 5 Bytes JMP 10040E36 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) .text H:\Windows\explorer.exe[5868] WININET.dll!UnlockUrlCacheEntryFile 75DA5CDC 5 Bytes JMP 10042853 H:\Program Files\RelevantKnowledge\rlls.dll (RelevantKnowledge/TMRG, Inc.) ---- User IAT/EAT - GMER 1.0.15 ---- IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73EA2494] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E85624] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E856E2] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73EA250F] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E98573] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E94D27] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E950CE] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E951A3] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E966D0] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E982CA] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E98819] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E9907A] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E9E21D] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[1692] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E94C59] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73EA2494] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73E85624] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73E856E2] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73EA250F] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73E98573] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73E94D27] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73E950CE] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73E951A3] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E966D0] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73E982CA] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73E98819] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73E9907A] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73E9E21D] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\explorer.exe[5868] @ H:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73E94C59] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000060 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 H:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xA2 0xE3 0x9B ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x59 0x0A 0x33 0xE4 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBE 0x56 0x00 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xA2 0xE3 0x9B ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xA2 0xE3 0x9B ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@H:\Program Files\Electronic Arts\Battlefield Bad Company\x2122 2\BFBC2Updater.exe 1 ---- EOF - GMER 1.0.15 ----