GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-27 22:47:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-9 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: r9kz7tuv.exe; Driver: C:\Users\Lisqui\AppData\Local\Temp\fwrdapob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAdjustPrivilegesToken [0x912F00A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAlpcConnectPort [0x912F0020] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAlpcSendWaitReceivePort [0x912F0030] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwConnectPort [0x912F0050] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSection [0x912F0000] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSymbolicLinkObject [0x912F0410] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThread [0x912F0100] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThreadEx [0x912F0040] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDebugActiveProcess [0x912F0140] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeviceIoControlFile [0x912F01E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDuplicateObject [0x912F0170] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadDriver [0x912F0150] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwMapViewOfSection [0x912F0180] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenProcess [0x912F0080] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenSection [0x912F0070] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenThread [0x912F0090] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwProtectVirtualMemory [0x912F00C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryIntervalProfile [0x912F0470] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueueApcThread [0x912F0120] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRequestWaitReplyPort [0x912F01D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeProcess [0x912F0490] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeThread [0x912F01A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSecureConnectPort [0x912F0060] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetContextThread [0x912F0110] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationObject [0x912F00B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationToken [0x912F0010] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetSystemInformation [0x912F0160] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendProcess [0x912F01C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendThread [0x912F01B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSystemDebugControl [0x912F0130] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateProcess [0x912F00D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateThread [0x912F00E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwUnmapViewOfSection [0x912F0190] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwWriteVirtualMemory [0x912F00F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1495 82C3F9E5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C79312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82C8055C 4 Bytes [A0, 00, 2F, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82C80584 4 Bytes [20, 00, 2F, 91] {AND [EAX], AL; DAS ; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82C805C8 4 Bytes [30, 00, 2F, 91] {XOR [EAX], AL; DAS ; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82C80618 4 Bytes [50, 00, 2F, 91] {PUSH EAX; ADD [EDI], CH; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82C8067C 4 Bytes [00, 00, 2F, 91] {ADD [EAX], AL; DAS ; XCHG ECX, EAX} .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x83EC3FEE] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!SetScrollRange 762D8EC5 5 Bytes JMP 014862A9 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!GetScrollInfo 762E2DA3 5 Bytes JMP 0148623C C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!SetScrollInfo 762E48DA 5 Bytes JMP 014862E0 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!GetScrollRange 7630045A 5 Bytes JMP 014861DF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!SetScrollPos 763004BE 5 Bytes JMP 014861BA C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!GetScrollPos 76300E43 5 Bytes JMP 01486217 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!EnableScrollBar 763019CE 5 Bytes JMP 01486314 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[732] USER32.dll!ShowScrollBar 76303C89 5 Bytes JMP 0148626F C:\Program Files\CCleaner\CCleaner.exe ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1328] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1328] ntdll.dll!NtProtectVirtualMemory 777E5F58 5 Bytes JMP 72322DD0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1328] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1328] USER32.dll!NotifyWinEvent + 5B2 762ED570 4 Bytes [10, 3D, 32, 72] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1328] USER32.dll!NotifyWinEvent + 6AE 762ED66C 4 Bytes [C0, 3C, 32, 72] {SAR BYTE [EDX+ESI], 0x72} ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] C:\Windows\system32\user32.dll time/date stamp mismatch; unknown module: CFGMGR32.dllunknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!LockWindowStation + 1BE 762D4948 5 Bytes JMP 72324670 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!GetUserObjectInformationA + 82F 762D79E7 5 Bytes JMP 72324AE0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!NotifyWinEvent + 5B2 762ED570 4 Bytes [10, 3D, 32, 72] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!NotifyWinEvent + 6AE 762ED66C 4 Bytes [C0, 3C, 32, 72] {SAR BYTE [EDX+ESI], 0x72} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!SetWindowsHookExA + 21 76306D2D 5 Bytes JMP 72324A60 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!SendMessageTimeoutA + 2A 76306DD3 5 Bytes JMP 723245E0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!GetRawInputDeviceInfoW + 10 7631CA16 5 Bytes JMP 723248B0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3836] user32.dll!GetRawInputDeviceInfoA + E7 76333C80 5 Bytes JMP 72324820 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtCreateFile 777E5608 5 Bytes JMP 5CDEF39A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtFlushBuffersFile 777E5998 5 Bytes JMP 5CDEF0A2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtQueryFullAttributesFile 777E6028 5 Bytes JMP 5CDEF157 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtReadFile 777E62F8 5 Bytes JMP 5CDEF2DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtReadFileScatter 777E6308 5 Bytes JMP 5D279BC8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtWriteFile 777E6AA8 5 Bytes JMP 5CDEF53E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!NtWriteFileGather 777E6AB8 5 Bytes JMP 5D279C18 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] ntdll.dll!LdrLoadDll 778022AE 5 Bytes JMP 604D98D2 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 765894E6 7 Bytes JMP 5D264446 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] kernel32.dll!QueryPerformanceCounter + 13 7658C4E5 7 Bytes JMP 5D266171 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] kernel32.dll!LoadAppInitDlls + 355 7658F5A6 7 Bytes JMP 5D00EECB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] USER32.dll!GetWindowInfo 762E4B5E 5 Bytes JMP 5DD7A419 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5344] GDI32.dll!GetViewportOrgEx + 26C 7628884B 7 Bytes JMP 5D2629F1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!GetWindowInfo 762E4B5E 5 Bytes JMP 5DC71371 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5884] USER32.dll!ToUnicodeEx + 71 762F2223 7 Bytes JMP 5DC6F997 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateFile + 6 777E560E 4 Bytes [28, D8, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateFile + B 777E5613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateKey + 6 777E564E 4 Bytes [68, D9, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateKey + B 777E5653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateMutant + 6 777E568E 4 Bytes [68, DA, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateMutant + B 777E5693 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateSection + 6 777E572E 4 Bytes [A8, DA, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtCreateSection + B 777E5733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtMapViewOfSection + B 777E5C73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenFile + 6 777E5D1E 4 Bytes [68, D8, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenFile + B 777E5D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenKey + 6 777E5D4E 4 Bytes [A8, D9, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenKey + B 777E5D53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenKeyEx + B 777E5D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenMutant + 6 777E5D9E 4 Bytes [28, DA, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenMutant + B 777E5DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenProcess + 6 777E5DCE 4 Bytes [68, DB, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenProcess + B 777E5DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenProcessToken + 6 777E5DDE 4 Bytes [A8, DB, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenProcessToken + B 777E5DE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenProcessTokenEx + 6 777E5DEE 4 Bytes [68, DC, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenProcessTokenEx + B 777E5DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenSection + B 777E5E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenThread + 6 777E5E4E 4 Bytes [28, DB, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenThread + B 777E5E53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenThreadToken + 6 777E5E5E 4 Bytes [28, DC, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenThreadToken + B 777E5E63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenThreadTokenEx + 6 777E5E6E 4 Bytes [A8, DC, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtOpenThreadTokenEx + B 777E5E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtQueryAttributesFile + 6 777E5F7E 4 Bytes [A8, D8, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtQueryAttributesFile + B 777E5F83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtQueryFullAttributesFile + B 777E6033 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtSetInformationFile + 6 777E667E 4 Bytes [28, D9, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtSetInformationFile + B 777E6683 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtSetInformationThread + B 777E66E3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtUnmapViewOfSection + 6 777E69FE 4 Bytes [28, DD, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ntdll.dll!NtUnmapViewOfSection + B 777E6A03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] kernel32.dll!CreateProcessW 7654204D 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] kernel32.dll!CreateProcessA 76542082 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!ActivateKeyboardLayout 762D8203 5 Bytes JMP 000C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!ScreenToClient 762DA506 7 Bytes JMP 000C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!RegisterClipboardFormatA 762DC091 5 Bytes JMP 000C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!RegisterClipboardFormatW 762DDF8D 5 Bytes JMP 000C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!SetCursor 762E3075 5 Bytes JMP 000C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!MonitorFromWindow 762E3622 7 Bytes JMP 000C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!PostMessageW 762E447B 5 Bytes JMP 000C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!IsWindowVisible 762E4D69 7 Bytes JMP 000C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClientRect 762E54DD 7 Bytes JMP 000C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!MapWindowPoints 762E5CAA 5 Bytes JMP 000C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetParent 762E6029 7 Bytes JMP 000C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!EmptyClipboard 762F290C 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!SetClipboardData 762F2962 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClipboardData 762F2BA7 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClipboardFormatNameW 762F5FD2 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!SetClipboardViewer 762F6FF6 5 Bytes JMP 000C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClipboardFormatNameA 762F700A 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!ChangeClipboardChain 7630147C 5 Bytes JMP 000C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetTopWindow 763024D9 7 Bytes JMP 000C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!CloseClipboard 7630446C 5 Bytes JMP 000C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!OpenClipboard 7630447E 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!IsClipboardFormatAvailable 763044FF 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClipboardSequenceNumber 76304513 5 Bytes JMP 000C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClipboardOwner 76304525 5 Bytes JMP 000C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!CountClipboardFormats 7630470A 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!EnumClipboardFormats 763047EC 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetOpenClipboardWindow 7630480B 5 Bytes JMP 000C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!SetCursorPos 7631C1B0 5 Bytes JMP 000C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetClipboardViewer 76334AF7 5 Bytes JMP 000C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] user32.DLL!GetPriorityClipboardFormat 76334BF9 5 Bytes JMP 000C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!DeleteObject 76285F14 5 Bytes JMP 000D01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SelectObject 76286640 5 Bytes JMP 000D05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetTextColor 76286906 5 Bytes JMP 000D0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetBkMode 762869B1 5 Bytes JMP 000D08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!DeleteDC 76286EAA 5 Bytes JMP 000D0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetDeviceCaps 76286F7F 5 Bytes JMP 000D03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!ExtSelectClipRgn 76287114 5 Bytes JMP 000D02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SelectClipRgn 76287242 5 Bytes JMP 000D05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetStretchBltMode 76287705 5 Bytes JMP 000D06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetCurrentObject 76287917 5 Bytes JMP 000D0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextMetricsW 76287B8F 5 Bytes JMP 000D0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextAlign 76287DAF 5 Bytes JMP 000D0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!IntersectClipRect 76287DFE 5 Bytes JMP 000D03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!ExtTextOutW 76288192 5 Bytes JMP 000D0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetTextAlign 7628828E 5 Bytes JMP 000D09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetClipBox 76288525 5 Bytes JMP 000D0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!MoveToEx 76288C21 5 Bytes JMP 000D0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!StretchDIBits 7628A53E 5 Bytes JMP 000D0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!RestoreDC 7628A67B 5 Bytes JMP 000D0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SaveDC 7628A74B 5 Bytes JMP 000D0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextExtentPoint32W 7628B4B5 5 Bytes JMP 000D0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextFaceW 7628B73A 2 Bytes JMP 000D0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextFaceW + 3 7628B73D 2 Bytes [E4, 89] {IN AL, 0x89} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetFontData 7628BCC4 5 Bytes JMP 000D0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetWorldTransform 7628C90A 5 Bytes JMP 000D06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!CreateDCA 7628CCA9 5 Bytes JMP 000D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!CreateDCW 7628CF79 5 Bytes JMP 000D00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!CreateICW 7628CFD0 5 Bytes JMP 000D0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextMetricsA 7628D0F2 5 Bytes JMP 000D0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!Rectangle 7628F1E7 5 Bytes JMP 000D09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!LineTo 7628F583 5 Bytes JMP 000D0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetICMMode 7628FA8C 5 Bytes JMP 000D0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!ExtTextOutA 76290D08 5 Bytes JMP 000D0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextExtentPoint32A 76291167 5 Bytes JMP 000D0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!ExtEscape 76292D31 5 Bytes JMP 000D02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!Escape 762933E8 5 Bytes JMP 000D0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!ResetDCW 76293A83 5 Bytes JMP 000D0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!EndPage 762940C2 5 Bytes JMP 000D0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetPolyFillMode 762967C9 5 Bytes JMP 000D0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SetMiterLimit 76296985 5 Bytes JMP 000D0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetTextFaceA 762A0D12 5 Bytes JMP 000D0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!GetGlyphOutlineW 762AC32A 5 Bytes JMP 000D0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!CreateScalableFontResourceW 762AE987 5 Bytes JMP 000D0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!AddFontResourceW 762AED83 5 Bytes JMP 000D0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!RemoveFontResourceW 762AF279 5 Bytes JMP 000D0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!AbortDoc 762B4E79 5 Bytes JMP 000D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!EndDoc 762B52C0 5 Bytes JMP 000D01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!StartPage 762B53AB 5 Bytes JMP 000D0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!StartDocW 762B5DC6 5 Bytes JMP 000D07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!BeginPath 762B656D 5 Bytes JMP 000D0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!SelectClipPath 762B65C4 5 Bytes JMP 000D0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!CloseFigure 762B661F 5 Bytes JMP 000D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!EndPath 762B6676 5 Bytes JMP 000D0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!StrokePath 762B68A9 5 Bytes JMP 000D07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!FillPath 762B6936 5 Bytes JMP 000D0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!PolylineTo 762B6DA4 5 Bytes JMP 000D04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!PolyBezierTo 762B6E35 5 Bytes JMP 000D04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] GDI32.dll!PolyDraw 762B6EE7 5 Bytes JMP 000D08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ole32.dll!OleSetClipboard 75BE0045 5 Bytes JMP 001F0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ole32.dll!OleIsCurrentClipboard 75BE36B2 5 Bytes JMP 001F0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[5976] ole32.dll!OleGetClipboard 75C0FDCD 5 Bytes JMP 001F00B0 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 85B681F8 Device \Driver\usbehci \Device\USBPDO-0 86F371F8 Device \Driver\usbehci \Device\USBPDO-1 86F371F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9C0D6046-D489-41E8-B593-2578B6488328} 86D0C1F8 AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys Device \Driver\cdrom \Device\CdRom0 86B011F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9ED84A0E-9BBB-4854-917E-5D90478E0520} 86D0C1F8 Device \Driver\atapi \Device\Ide\IdePort0 85B661F8 Device \Driver\atapi \Device\Ide\IdePort1 85B661F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-b 85B661F8 Device \Driver\atapi \Device\Ide\IdePort2 85B661F8 Device \Driver\atapi \Device\Ide\IdePort3 85B661F8 Device \Driver\atapi \Device\Ide\IdePort4 85B661F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-9 85B661F8 Device \Driver\atapi \Device\Ide\IdePort5 85B661F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86D0C1F8 AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys Device \Driver\usbehci \Device\USBFDO-0 86F371F8 Device \Driver\usbehci \Device\USBFDO-1 86F371F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85b661f8]<< 85b661f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86a467c8] 86a467c8 Trace 3 CLASSPNP.SYS[8bf9159e] -> nt!IofCallDriver -> [0x864d7328] 864d7328 Trace 5 ACPI.sys[8bb363d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T1L0-9[0x8691b908] 8691b908 Trace \Driver\atapi[0x864d45c0] -> IRP_MJ_CREATE -> 0x85b661f8 85b661f8 ---- EOF - GMER 2.1 ----