GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-18 00:21:28 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: r58d40tw.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\kwrdipob.sys ---- System - GMER 2.1 ---- INT 0x51 ? C416BCD8 INT 0x52 ? C3B5CA58 INT 0x62 ? C3B5CCD8 INT 0x71 ? C3B5C058 INT 0x72 ? C2E872D8 INT 0x82 ? C2E877D8 INT 0x92 ? C2E87A58 INT 0xA2 ? C2E87558 INT 0xB1 ? C2E87CD8 INT 0xB2 ? C2E87058 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD E3081579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E30A5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .vmp2 C:\Windows\system32\drivers\acedrv11.sys entry point in ".vmp2" section [0xD656469D] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xD6569300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xD65BA300, 0x1BEE, 0xE8000020] ? C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\regfilter.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1976] kernel32.dll!SetUnhandledExceptionFilter 76EA3142 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3600] USER32.dll!CharToOemA + 3A 76B7B1DE 7 Bytes JMP 5CE1D954 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3600] USER32.dll!AdjustWindowRectEx + 117 76B8660F 7 Bytes JMP 5CE1D9C5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3600] USER32.dll!GetWindowInfo 76B86A82 5 Bytes JMP 5CE219D5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3600] USER32.dll!MenuItemFromPoint + F 76BA4B36 7 Bytes JMP 5CE1B1BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateFile + 6 76F74A16 4 Bytes [28, 08, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateFile + B 76F74A1B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateKey + 6 76F74A56 4 Bytes [68, 09, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateKey + B 76F74A5B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateMutant + 6 76F74A96 4 Bytes [68, 0A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateMutant + B 76F74A9B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateSection + 6 76F74B36 4 Bytes [A8, 0A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtCreateSection + B 76F74B3B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtMapViewOfSection + 6 76F75076 4 Bytes CALL 75F76787 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtMapViewOfSection + B 76F7507B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenFile + 6 76F75126 4 Bytes [68, 08, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenFile + B 76F7512B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenKey + 6 76F75156 4 Bytes [A8, 09, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenKey + B 76F7515B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenKeyEx + 6 76F75166 4 Bytes CALL 75F76874 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenKeyEx + B 76F7516B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenMutant + 6 76F751A6 4 Bytes [28, 0A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenMutant + B 76F751AB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenProcess + 6 76F751D6 4 Bytes [68, 0B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenProcess + B 76F751DB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenProcessToken + 6 76F751E6 4 Bytes [A8, 0B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenProcessToken + B 76F751EB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenProcessTokenEx + 6 76F751F6 4 Bytes [68, 0C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenProcessTokenEx + B 76F751FB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenSection + 6 76F75216 4 Bytes CALL 75F76925 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenSection + B 76F7521B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenThread + 6 76F75256 4 Bytes [28, 0B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenThread + B 76F7525B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenThreadToken + 6 76F75266 4 Bytes [28, 0C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenThreadToken + B 76F7526B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenThreadTokenEx + 6 76F75276 4 Bytes [A8, 0C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtOpenThreadTokenEx + B 76F7527B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtQueryAttributesFile + 6 76F75386 4 Bytes [A8, 08, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtQueryAttributesFile + B 76F7538B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtQueryFullAttributesFile + 6 76F75436 4 Bytes CALL 75F76B43 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtQueryFullAttributesFile + B 76F7543B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtSetInformationFile + 6 76F75A86 4 Bytes [28, 09, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtSetInformationFile + B 76F75A8B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtSetInformationThread + 6 76F75AE6 4 Bytes CALL 75F771F6 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtSetInformationThread + B 76F75AEB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtUnmapViewOfSection + 6 76F75E06 4 Bytes [28, 0D, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ntdll.dll!NtUnmapViewOfSection + B 76F75E0B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] kernel32.dll!CreateProcessW 76E5202D 5 Bytes JMP 00180030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] kernel32.dll!CreateProcessA 76E52062 5 Bytes JMP 00180070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SelectObject 756E61D0 5 Bytes JMP 002705F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetTextColor 756E6622 5 Bytes JMP 00270A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetBkMode 756E66CD 5 Bytes JMP 002708F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!DeleteObject 756E68B4 5 Bytes JMP 002701B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!DeleteDC 756E6A2C 5 Bytes JMP 00270170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!ExtSelectClipRgn 756E6C72 5 Bytes JMP 002702F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SelectClipRgn 756E6D84 5 Bytes JMP 002705B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetDeviceCaps 756E6E03 5 Bytes JMP 002703B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetStretchBltMode 756E73CE 5 Bytes JMP 002706B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetCurrentObject 756E777C 5 Bytes JMP 00270370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextMetricsW 756E798F 5 Bytes JMP 00270E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!IntersectClipRect 756E7CCA 5 Bytes JMP 002703F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextAlign 756E7D15 5 Bytes JMP 00270D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetTextAlign 756E7F92 5 Bytes JMP 002709F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!ExtTextOutW 756E8053 5 Bytes JMP 00270970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetClipBox 756E81F2 5 Bytes JMP 00270330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!MoveToEx 756E8A16 5 Bytes JMP 00270470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!CreateDCA 756E9975 5 Bytes JMP 002700B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!RestoreDC 756E9A10 5 Bytes JMP 00270530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SaveDC 756E9AD2 5 Bytes JMP 00270570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!StretchDIBits 756EAC38 5 Bytes JMP 00270770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextFaceW 756EB4CC 5 Bytes JMP 00270D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextExtentPoint32W 756EB535 5 Bytes JMP 00270670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetFontData 756EB8E8 5 Bytes JMP 00270C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!CreateDCW 756EBD21 5 Bytes JMP 002700F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!CreateICW 756EC660 5 Bytes JMP 00270130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!LineTo 756ECA20 5 Bytes JMP 00270430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetWorldTransform 756ECB42 5 Bytes JMP 002706F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextMetricsA 756ECE46 5 Bytes JMP 00270DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!Rectangle 756EF5BE 5 Bytes JMP 002709B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetICMMode 756EF8D4 5 Bytes JMP 00270DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!ExtTextOutA 756F0158 5 Bytes JMP 00270930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextExtentPoint32A 756F08BB 5 Bytes JMP 00270630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!Escape 756F0B0D 5 Bytes JMP 00270270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!ExtEscape 756F3472 5 Bytes JMP 002702B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetTextFaceA 756F3E49 5 Bytes JMP 00270CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetPolyFillMode 756F6CE1 5 Bytes JMP 00270B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SetMiterLimit 756F6E54 5 Bytes JMP 00270B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!ResetDCW 7570031C 5 Bytes JMP 00270AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!EndPage 757007CD 5 Bytes JMP 00270230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!GetGlyphOutlineW 7570C292 5 Bytes JMP 00270CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!CreateScalableFontResourceW 7570E8EF 5 Bytes JMP 00270BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!AddFontResourceW 7570ECEB 5 Bytes JMP 00270BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!RemoveFontResourceW 7570F1E1 5 Bytes JMP 00270C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!AbortDoc 75714D37 5 Bytes JMP 00270030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!EndDoc 7571517E 5 Bytes JMP 002701F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!StartPage 75715269 5 Bytes JMP 00270730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!StartDocW 75715BB6 5 Bytes JMP 002707F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!BeginPath 7571635D 5 Bytes JMP 00270830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!SelectClipPath 757163B4 5 Bytes JMP 00270AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!CloseFigure 7571640F 5 Bytes JMP 00270070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!EndPath 75716466 5 Bytes JMP 00270A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!StrokePath 75716699 5 Bytes JMP 002707B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!FillPath 75716726 5 Bytes JMP 00270870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!PolylineTo 75716B94 5 Bytes JMP 002704F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!PolyBezierTo 75716C25 5 Bytes JMP 002704B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] GDI32.dll!PolyDraw 75716CD7 5 Bytes JMP 002708B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!ActivateKeyboardLayout 76B7817D 5 Bytes JMP 002804F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!ScreenToClient 76B7C1F2 7 Bytes JMP 00280670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!RegisterClipboardFormatA 76B7E6B1 5 Bytes JMP 002802F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!RegisterClipboardFormatW 76B7EDFD 5 Bytes JMP 002802B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!SetCursor 76B852EA 5 Bytes JMP 00280530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!MonitorFromWindow 76B8590A 7 Bytes JMP 00280630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!PostMessageW 76B86225 5 Bytes JMP 002805F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!IsWindowVisible 76B86939 7 Bytes JMP 002806B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClientRect 76B874B1 7 Bytes JMP 002805B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!MapWindowPoints 76B87915 5 Bytes JMP 00280570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetParent 76B87AB3 7 Bytes JMP 002806F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!SetClipboardData 76B94979 5 Bytes JMP 00280170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!EmptyClipboard 76B94A28 5 Bytes JMP 00280130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClipboardData 76B94B47 5 Bytes JMP 00280030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!EnumClipboardFormats 76B94D98 5 Bytes JMP 002801B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClipboardFormatNameW 76B97EB2 5 Bytes JMP 00280230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!SetClipboardViewer 76B98F4D 5 Bytes JMP 002804B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClipboardFormatNameA 76B98F61 5 Bytes JMP 00280270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetOpenClipboardWindow 76B9902F 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetOpenClipboardWindow 76B9902F 5 Bytes JMP 002803F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!ChangeClipboardChain 76BA3425 5 Bytes JMP 00280430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetTopWindow 76BA3A5D 7 Bytes JMP 00280730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!CloseClipboard 76BA5BA7 5 Bytes JMP 002800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!OpenClipboard 76BA5BB9 5 Bytes JMP 00280070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!IsClipboardFormatAvailable 76BA5C3A 5 Bytes JMP 002800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClipboardSequenceNumber 76BA5C4E 5 Bytes JMP 00280330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClipboardOwner 76BA5C60 5 Bytes JMP 00280370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!CountClipboardFormats 76BA5DC9 5 Bytes JMP 002801F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!SetCursorPos 76BBC1D8 5 Bytes JMP 00280770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetClipboardViewer 76BD4B57 5 Bytes JMP 00280470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] USER32.dll!GetPriorityClipboardFormat 76BD4C59 5 Bytes JMP 002803B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ole32.dll!OleSetClipboard 76C9F1F6 5 Bytes JMP 00290030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ole32.dll!OleIsCurrentClipboard 76CA2370 5 Bytes JMP 00290070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[4568] ole32.dll!OleGetClipboard 76CCF71D 5 Bytes JMP 002900B0 .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtCreateFile 76F74A10 5 Bytes JMP 5CB79440 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtFlushBuffersFile 76F74DA0 5 Bytes JMP 5C867CC9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtQueryFullAttributesFile 76F75430 5 Bytes JMP 5C867F40 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtReadFile 76F75700 5 Bytes JMP 5C867D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtReadFileScatter 76F75710 5 Bytes JMP 5D4D7D51 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtWriteFile 76F75EB0 5 Bytes JMP 5CB7A3D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!NtWriteFileGather 76F75EC0 5 Bytes JMP 5D4D7D00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] ntdll.dll!LdrLoadDll 76F8F585 5 Bytes JMP 70101F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 76E9C0CF 7 Bytes JMP 5D41923C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] kernel32.dll!CloseHandle + 38 76EA05EF 7 Bytes JMP 5D41925F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] kernel32.dll!GetExitCodeProcess + 2C 76EA313D 7 Bytes JMP 5CB75E74 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] USER32.dll!GetWindowInfo 76B86A82 5 Bytes JMP 5D31AF4C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5924] GDI32.dll!GetViewportOrgEx + 21C 756E85EB 7 Bytes JMP 5D4191BD C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73AF250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73AF2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73AD5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73AD56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73AE8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73AE4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73AE50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73AE51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73AE66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73AE82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73AE8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73AE907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73AEE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73AE4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll ---- Devices - GMER 2.1 ---- Device Ntfs.sys AttachedDevice eamon.sys Device Fs_Rec.sys ---- Threads - GMER 2.1 ---- Thread System [4:252] C377B790 ---- Processes - GMER 2.1 ---- Library C:\Program Files\Bonjour\mdnsNSP.dll (*** hidden *** ) @ C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [396] 0x16080000 Library C:\Program Files\Bonjour\mdnsNSP.dll (*** hidden *** ) @ C:\Program Files\IObit\Smart Defrag 3\SmartDefrag.exe [548] 0x16080000 Library C:\Program Files\Bonjour\mdnsNSP.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1004] 0x16080000 Library C:\Program Files\Bonjour\mdnsNSP.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1244] 0x16080000 Library C:\Program Files\Bonjour\mdnsNSP.dll (*** hidden *** ) @ C:\Windows\System32\spoolsv.exe [1632] 0x16080000 Library C:\Program Files\Bonjour\mdnsNSP.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2084] 0x16080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x48 0x51 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0x0C 0x18 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@d0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x92 0xC3 0xDE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF0 0x49 0xB2 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0x0C 0x18 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x92 0xC3 0xDE ... Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 3 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\04F5AB42-02C9-4B8B-AEE6-86ED439E65AF@Alive 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\The Sims 3\Sims.3.Kolekcja.POLiSH.REPACK.O22y\The Sims 3 Diesel \x2013 akcesoria\Setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\The Sims 3\Sims.3.Kolekcja.POLiSH.REPACK.O22y\The Sims 3 Szybka jazda \x2013 akcesoria\Setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\The Sims 3\The Sims 3 Impreza w plenerze \x2013 akcesoria\Uninstall\unins000.exe 1 ---- Files - GMER 2.1 ---- File C:\ProgramData\IObit\Protected Folder\config.ini 73 bytes File C:\ProgramData\IObit\Protected Folder\drawposs.db 21 bytes File C:\ProgramData\IObit\Protected Folder\fstile.cds 2 bytes File C:\Users\Bartek\AppData\Local\Mozilla\Firefox\Profiles\zajrdka9.default-1395353920050\cache2\entries\52EBD44465E5E21010B8F4BBE9C663893069124B 4966 bytes File C:\Users\Bartek\AppData\Local\Mozilla\Firefox\Profiles\zajrdka9.default-1395353920050\cache2\entries\C9EF416C38F0627AC7E58112B66FCAA49524FB4E 3155 bytes File C:\Users\Bartek\AppData\Local\Mozilla\Firefox\Profiles\zajrdka9.default-1395353920050\cache2\entries\BD06EFD0E0D39FA55BD5C6F9BB8FD36F4C9E79B4 3155 bytes File C:\Users\Bartek\AppData\Local\Mozilla\Firefox\Profiles\zajrdka9.default-1395353920050\cache2\entries\F70FA09CD3CFCBD9E772D570D6736CA3EDE1AC21 3155 bytes File C:\Users\Bartek\AppData\Local\Mozilla\Firefox\Profiles\zajrdka9.default-1395353920050\cache2\entries\7B08A74F06B40F55F34C923FCD42905164ED3271 3155 bytes ---- EOF - GMER 2.1 ----