GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-31 13:47:04 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\00000088 ST932032 rev.0002 298,09GB Running: 6emhrni1.exe; Driver: C:\Users\Kamil\AppData\Local\Temp\awrdykob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\USER32.dll!GetMenu + 388 0000000076595835 7 bytes JMP 000000011003ac50 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 104 0000000076599662 7 bytes JMP 000000011003abc0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\USER32.dll!SendMessageA + 81 00000000765aef45 7 bytes JMP 000000011003b000 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 00000000765dfe28 7 bytes JMP 000000011003af50 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 00000000765dfe61 7 bytes JMP 000000011003adf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 00000000765dfe85 7 bytes JMP 000000011003af00 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077101401 2 bytes JMP 7513eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077101419 2 bytes JMP 7514b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077101431 2 bytes JMP 751c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007710144a 2 bytes CALL 75121dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771014dd 2 bytes JMP 751c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771014f5 2 bytes JMP 751c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007710150d 2 bytes JMP 751c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077101525 2 bytes JMP 751c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007710153d 2 bytes JMP 7513f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077101555 2 bytes JMP 7514b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007710156d 2 bytes JMP 751c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077101585 2 bytes JMP 751c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007710159d 2 bytes JMP 751c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771015b5 2 bytes JMP 7513f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771015cd 2 bytes JMP 7514b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771016b2 2 bytes JMP 751c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771016bd 2 bytes JMP 751c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077101401 2 bytes JMP 7513eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077101419 2 bytes JMP 7514b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077101431 2 bytes JMP 751c8609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007710144a 2 bytes CALL 75121dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771014dd 2 bytes JMP 751c7efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771014f5 2 bytes JMP 751c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007710150d 2 bytes JMP 751c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077101525 2 bytes JMP 751c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007710153d 2 bytes JMP 7513f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077101555 2 bytes JMP 7514b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007710156d 2 bytes JMP 751c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077101585 2 bytes JMP 751c8222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007710159d 2 bytes JMP 751c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771015b5 2 bytes JMP 7513f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771015cd 2 bytes JMP 7514b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771016b2 2 bytes JMP 751c8584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771016bd 2 bytes JMP 751c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076588b9a 5 bytes JMP 0000000171807aa7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000765a2a3e 5 bytes JMP 00000001719558ab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000765a2a62 5 bytes JMP 000000017172490b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000765ccc1a 5 bytes JMP 0000000171955848 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000765ccf72 5 bytes JMP 000000017195590e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000765dfd61 5 bytes JMP 00000001719557dd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000765dfe2d 5 bytes JMP 0000000171955772 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000765dfe66 5 bytes JMP 0000000171955710 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000765dfe8a 5 bytes JMP 00000001719556ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076835b88 5 bytes JMP 0000000171955b74 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076cb9474 5 bytes JMP 0000000171956126 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077101401 2 bytes JMP 7513eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077101419 2 bytes JMP 7514b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077101431 2 bytes JMP 751c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007710144a 2 bytes CALL 75121dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771014dd 2 bytes JMP 751c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771014f5 2 bytes JMP 751c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007710150d 2 bytes JMP 751c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077101525 2 bytes JMP 751c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007710153d 2 bytes JMP 7513f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077101555 2 bytes JMP 7514b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007710156d 2 bytes JMP 751c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077101585 2 bytes JMP 751c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007710159d 2 bytes JMP 751c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771015b5 2 bytes JMP 7513f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771015cd 2 bytes JMP 7514b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771016b2 2 bytes JMP 751c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771016bd 2 bytes JMP 751c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16400_none_4209f94e2b866170\comctl32.dll!PropertySheetW 0000000073277c30 5 bytes JMP 00000001719568f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16400_none_4209f94e2b866170\comctl32.dll!PropertySheet 0000000073317bb2 5 bytes JMP 0000000171956999 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!recv 0000000076be47df 6 bytes JMP 71610f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!WSALookupServiceNextW 0000000076be4c59 6 bytes JMP 716a0f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!WSALookupServiceEnd 0000000076be5198 6 bytes JMP 71670f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!WSALookupServiceBeginW 0000000076be561a 6 bytes JMP 71700f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!WSASend 0000000076be68a7 6 bytes JMP 715e0f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!WSARecv 0000000076bec29f 6 bytes JMP 715b0f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!send 0000000076bec4c8 6 bytes JMP 71640f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\ws2_32.DLL!WSAGetOverlappedResult 0000000076bee860 6 bytes JMP 71580f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3372] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076b49a4c 5 bytes JMP 0000000171956258 ? C:\Windows\System32\NLSData0000.dll [3372] entry point in ".rdata" section 000000006bc4c541 ? C:\Windows\system32\mssprxy.dll [3372] entry point in ".rdata" section 000000006ce171e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076588b9a 5 bytes JMP 0000000171807aa7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765a06b3 5 bytes JMP 00000001717b4243 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000765a2a3e 5 bytes JMP 00000001719558ab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000765a2a62 5 bytes JMP 000000017172490b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000765af006 5 bytes JMP 00000001717f94ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765b0efc 5 bytes JMP 0000000171817e18 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000765ccc1a 5 bytes JMP 0000000171955848 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000765ccf72 5 bytes JMP 000000017195590e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000765dfd61 5 bytes JMP 00000001719557dd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000765dfe2d 5 bytes JMP 0000000171955772 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000765dfe66 5 bytes JMP 0000000171955710 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000765dfe8a 5 bytes JMP 00000001719556ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076835b88 5 bytes JMP 0000000171955b74 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768857fc 5 bytes JMP 0000000171808595 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076cb9474 5 bytes JMP 0000000171956126 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077101401 2 bytes JMP 7513eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077101419 2 bytes JMP 7514b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077101431 2 bytes JMP 751c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007710144a 2 bytes CALL 75121dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771014dd 2 bytes JMP 751c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771014f5 2 bytes JMP 751c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007710150d 2 bytes JMP 751c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077101525 2 bytes JMP 751c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007710153d 2 bytes JMP 7513f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077101555 2 bytes JMP 7514b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007710156d 2 bytes JMP 751c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077101585 2 bytes JMP 751c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007710159d 2 bytes JMP 751c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771015b5 2 bytes JMP 7513f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771015cd 2 bytes JMP 7514b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771016b2 2 bytes JMP 751c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771016bd 2 bytes JMP 751c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16400_none_4209f94e2b866170\comctl32.dll!PropertySheetW 0000000073277c30 5 bytes JMP 00000001719568f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16400_none_4209f94e2b866170\comctl32.dll!PropertySheet 0000000073317bb2 5 bytes JMP 0000000171956999 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076b49a4c 5 bytes JMP 0000000171956258 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!recv 0000000076be47df 6 bytes JMP 71610f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceNextW 0000000076be4c59 6 bytes JMP 716a0f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceEnd 0000000076be5198 6 bytes JMP 71670f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000076be561a 6 bytes JMP 71700f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076be68a7 6 bytes JMP 715e0f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076bec29f 6 bytes JMP 715b0f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!send 0000000076bec4c8 6 bytes JMP 71640f5a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4240] C:\Windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000076bee860 6 bytes JMP 71580f5a ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\winlogon.exe[424] @ C:\Windows\system32\UxTheme.dll[KERNEL32.dll!ReadFile] [7fefa982840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[424] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa982960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[424] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa982840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1092] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa982960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1092] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa982840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1092] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefa982960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1092] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa982840] c:\windows\system32\uxtuneup.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\Program Files\ASUS\Net4Switch\Net4Switch.exe [2252] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000004610000 Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe [3068] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 00000000039a0000 Process C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe (*** suspicious ***) @ C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe [3088] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000000f70000 Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe [3088] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000010000000 Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe [3956] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000000240000 Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [3372] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000010000000 Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4240] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000010000000 Library C:\Users\Kamil\AppData\Roaming\Nowe Gadu-Gadu\_userdata\ggbho.1.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4240] (Gadu-Gadu Plug-in/GG Network S.A.)(2009-10-28 12:44:12) 0000000002780000 Process \\?\C:\Windows\system32\wbem\WMIADAP.EXE (*** suspicious ***) @ \\?\C:\Windows\system32\wbem\WMIADAP.EXE [6964] (WMI Reverse Performance Adapter Maintenance Utility/Microsoft Corporation)(2009-07-13 23:47:22) 00000000ffd90000 Library C:\ProgramData\Panda Security URL Filtering\panda_url_filtering.dll (*** suspicious ***) @ C:\Users\Kamil\Desktop\6emhrni1.exe [6272] (Anti-phishing Domain Advisor (Powered by Panda Security)/Visicom Media Inc.)(2013-09-26 13:22:52) 0000000010000000 ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----