GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-01 11:48:19 Windows 6.1.7601 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0003 465,76GB Running: gmer.exe; Driver: C:\Users\Aga\AppData\Local\Temp\fgldrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x914F06E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x914F0800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x914F0010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x914F04D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x914F0300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x914F03E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x914F0120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x914F0210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x914F05E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 8344EA09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83488352 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1683 8348F778 8 Bytes [E0, 06, 4F, 91, 00, 08, 4F, ...] {LOOPNZ 0x8; DEC EDI; XCHG ECX, EAX; ADD [EAX], CL; DEC EDI; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 16CB 8348F7C0 4 Bytes [10, 00, 4F, 91] {ADC [EAX], AL; DEC EDI; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 16EB 8348F7E0 4 Bytes [D0, 04, 4F, 91] {ROL BYTE [EDI+ECX*2], 0x1; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 198B 8348FA80 8 Bytes [00, 03, 4F, 91, E0, 03, 4F, ...] {ADD [EBX], AL; DEC EDI; XCHG ECX, EAX; LOOPNZ 0x9; DEC EDI; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 199B 8348FA90 8 Bytes [20, 01, 4F, 91, 10, 02, 4F, ...] {AND [ECX], AL; DEC EDI; XCHG ECX, EAX; ADC [EDX], AL; DEC EDI; XCHG ECX, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92640000, 0x390B65, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[1328] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2452] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Aga\Desktop\gmer\gmer.exe[3056] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[3292] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskeng.exe[3480] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text ... .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4648] USER32.dll!CreateWindowExA + EA 74C2B284 7 Bytes JMP 52D30102 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4648] USER32.dll!GetFocus + 254 74C342CE 7 Bytes JMP 52D30173 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4648] USER32.dll!GetWindowInfo 74C34A4E 5 Bytes JMP 52D3261E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4648] USER32.dll!GetMenuInfo + AD 74C497B8 7 Bytes JMP 52D2D8F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4672] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Intel\Bluetooth\mediasrv.exe[4692] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\wbem\wmiprvse.exe[4752] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4784] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\wbem\unsecapp.exe[4816] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text ... .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateFile + 6 771E46AE 4 Bytes [28, 48, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateFile + B 771E46B3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateKey + 6 771E46EE 4 Bytes [68, 49, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateKey + B 771E46F3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateMutant + 6 771E472E 4 Bytes [68, 4A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateMutant + B 771E4733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateSection + 6 771E47CE 4 Bytes [A8, 4A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtCreateSection + B 771E47D3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtMapViewOfSection + B 771E4D13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenFile + 6 771E4DBE 4 Bytes [68, 48, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenFile + B 771E4DC3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenKey + 6 771E4DEE 4 Bytes [A8, 49, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenKey + B 771E4DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenKeyEx + B 771E4E03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenMutant + 6 771E4E3E 4 Bytes [28, 4A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenMutant + B 771E4E43 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenProcess + 6 771E4E6E 4 Bytes [68, 4B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenProcess + B 771E4E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenProcessToken + 6 771E4E7E 4 Bytes [A8, 4B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenProcessToken + B 771E4E83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenProcessTokenEx + 6 771E4E8E 4 Bytes [68, 4C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenProcessTokenEx + B 771E4E93 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenSection + B 771E4EB3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenThread + 6 771E4EEE 4 Bytes [28, 4B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenThread + B 771E4EF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenThreadToken + 6 771E4EFE 4 Bytes [28, 4C, 17, 00] {SUB [EDI+EDX+0x0], CL} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenThreadToken + B 771E4F03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenThreadTokenEx + 6 771E4F0E 4 Bytes [A8, 4C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtOpenThreadTokenEx + B 771E4F13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtQueryAttributesFile + 6 771E501E 4 Bytes [A8, 48, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtQueryAttributesFile + B 771E5023 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtQueryFullAttributesFile + B 771E50D3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtSetInformationFile + 6 771E571E 4 Bytes [28, 49, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtSetInformationFile + B 771E5723 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtSetInformationThread + B 771E5783 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtUnmapViewOfSection + 6 771E5A9E 4 Bytes [28, 4D, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtUnmapViewOfSection + B 771E5AA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] kernel32.dll!CreateProcessW 7643203F 5 Bytes JMP 00180030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] kernel32.dll!CreateProcessA 76432074 5 Bytes JMP 00180070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!DeleteObject 761A5F85 5 Bytes JMP 003701B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SelectObject 761A6390 5 Bytes JMP 003705F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetTextColor 761A66D8 5 Bytes JMP 00370A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetBkMode 761A6783 5 Bytes JMP 003708F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!DeleteDC 761A6A59 5 Bytes JMP 00370170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetDeviceCaps 761A6F70 5 Bytes JMP 003703B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextMetricsW 761A72BF 5 Bytes JMP 00370E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetCurrentObject 761A782A 5 Bytes JMP 00370370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetStretchBltMode 761A7A0A 5 Bytes JMP 003706B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!ExtSelectClipRgn 761A7FFE 5 Bytes JMP 003702F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SelectClipRgn 761A8110 5 Bytes JMP 003705B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!IntersectClipRect 761A81AA 5 Bytes JMP 003703F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextAlign 761A8310 5 Bytes JMP 00370D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetTextAlign 761A858D 5 Bytes JMP 003709F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!ExtTextOutW 761A89D1 5 Bytes JMP 00370970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetClipBox 761A8C93 5 Bytes JMP 00370330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!MoveToEx 761A93AE 5 Bytes JMP 00370470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!CreateDCA 761AA0C5 5 Bytes JMP 003700B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextFaceW 761AAFEC 5 Bytes JMP 00370D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextExtentPoint32W 761AB4DB 5 Bytes JMP 00370670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetFontData 761AB81B 5 Bytes JMP 00370C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!CreateDCW 761ABE75 5 Bytes JMP 003700F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!CreateICW 761AC147 5 Bytes JMP 00370130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetWorldTransform 761AC642 5 Bytes JMP 003706F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!RestoreDC 761AC89F 5 Bytes JMP 00370530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SaveDC 761AC96F 5 Bytes JMP 00370570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!StretchDIBits 761ACEF4 5 Bytes JMP 00370770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextMetricsA 761AE694 5 Bytes JMP 00370DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!Rectangle 761AF02B 5 Bytes JMP 003709B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!LineTo 761AF27B 5 Bytes JMP 00370430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetICMMode 761AF485 5 Bytes JMP 00370DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!ExtTextOutA 761B0C16 5 Bytes JMP 00370930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextExtentPoint32A 761B1AF5 5 Bytes JMP 00370630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!ExtEscape 761B3F2F 5 Bytes JMP 003702B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetPolyFillMode 761B57CA 5 Bytes JMP 00370B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SetMiterLimit 761B7404 5 Bytes JMP 00370B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!Escape 761B83A8 5 Bytes JMP 00370270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetTextFaceA 761C1EB9 5 Bytes JMP 00370CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!GetGlyphOutlineW 761C24C3 5 Bytes JMP 00370CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!CreateScalableFontResourceW 761C4DEC 5 Bytes JMP 00370BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!AddFontResourceW 761C51EB 5 Bytes JMP 00370BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!RemoveFontResourceW 761C56E1 5 Bytes JMP 00370C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!ResetDCW 761D0236 5 Bytes JMP 00370AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!AbortDoc 761D04F9 5 Bytes JMP 00370030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!EndPage 761D0AAF 5 Bytes JMP 00370230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!EndDoc 761D0ADF 5 Bytes JMP 003701F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!StartPage 761D0BCA 5 Bytes JMP 00370730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!StartDocW 761D1763 5 Bytes JMP 003707F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!BeginPath 761D1F0D 5 Bytes JMP 00370830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!SelectClipPath 761D1F64 5 Bytes JMP 00370AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!CloseFigure 761D1FBF 5 Bytes JMP 00370070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!EndPath 761D2016 5 Bytes JMP 00370A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!StrokePath 761D2249 5 Bytes JMP 003707B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!FillPath 761D22D6 5 Bytes JMP 00370870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!PolylineTo 761D2744 5 Bytes JMP 003704F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!PolyBezierTo 761D27D5 5 Bytes JMP 003704B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] GDI32.dll!PolyDraw 761D2887 5 Bytes JMP 003708B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!ActivateKeyboardLayout 74C28BD1 5 Bytes JMP 003804F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!SetCursor 74C292B4 5 Bytes JMP 00380530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!RegisterClipboardFormatA 74C2B5C2 5 Bytes JMP 003802F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!MonitorFromWindow 74C2C9F3 7 Bytes JMP 00380630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!RegisterClipboardFormatW 74C2CD2B 5 Bytes JMP 003802B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!ScreenToClient 74C320F8 7 Bytes JMP 00380670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!PostMessageW 74C34305 5 Bytes JMP 003805F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!IsWindowVisible 74C34C2C 7 Bytes JMP 003806B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClientRect 74C35376 7 Bytes JMP 003805B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!MapWindowPoints 74C355B2 5 Bytes JMP 00380570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetParent 74C35F86 7 Bytes JMP 003806F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!SetClipboardViewer 74C422DC 5 Bytes JMP 003804B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!ChangeClipboardChain 74C4298D 5 Bytes JMP 00380430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClipboardFormatNameA 74C43031 5 Bytes JMP 00380270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClipboardFormatNameW 74C43132 5 Bytes JMP 00380230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!EmptyClipboard 74C4B3D3 5 Bytes JMP 00380130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!SetClipboardData 74C4B450 5 Bytes JMP 00380170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClipboardSequenceNumber 74C4BFCC 5 Bytes JMP 00380330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!CloseClipboard 74C4BFDE 5 Bytes JMP 003800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!OpenClipboard 74C4BFF0 5 Bytes JMP 00380070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!EnumClipboardFormats 74C4C0C8 5 Bytes JMP 003801B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetOpenClipboardWindow 74C4C0E7 5 Bytes JMP 003803F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClipboardData 74C4C10D 5 Bytes JMP 00380030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClipboardOwner 74C4EBA7 5 Bytes JMP 00380370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!CountClipboardFormats 74C4EF34 5 Bytes JMP 003801F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!IsClipboardFormatAvailable 74C4F527 5 Bytes JMP 003800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetTopWindow 74C4F53B 7 Bytes JMP 00380730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!SetCursorPos 74C63E4F 5 Bytes JMP 00380770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetClipboardViewer 74C83933 5 Bytes JMP 00380470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] USER32.dll!GetPriorityClipboardFormat 74C83A35 5 Bytes JMP 003803B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ole32.dll!OleSetClipboard 76003539 5 Bytes JMP 00390030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ole32.dll!OleGetClipboard 76004475 5 Bytes JMP 003900B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe[6540] ole32.dll!OleIsCurrentClipboard 7601944B 5 Bytes JMP 00390070 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6964] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Nero\Update\NASvc.exe[7240] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtCreateFile 771E46A8 5 Bytes JMP 52A69AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtFlushBuffersFile 771E4A38 5 Bytes JMP 52A4C434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtQueryFullAttributesFile 771E50C8 5 Bytes JMP 52A4C150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtReadFile 771E5398 5 Bytes JMP 52A4C330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtReadFileScatter 771E53A8 5 Bytes JMP 5346F60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtWriteFile 771E5B48 5 Bytes JMP 52A6A9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtWriteFileGather 771E5B58 5 Bytes JMP 5346F5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] ntdll.dll!LdrLoadDll 771FE7FF 5 Bytes JMP 64461F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76449D61 7 Bytes JMP 53394AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] kernel32.dll!RegQueryValueExW + 136 7644EC76 7 Bytes JMP 53394AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] kernel32.dll!RegisterWaitForInputIdle + 11 764505E3 7 Bytes JMP 52A663D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] USER32.dll!GetWindowInfo 74C34A4E 5 Bytes JMP 5328B991 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7772] GDI32.dll!GetViewportOrgEx + 121 761A8E7E 7 Bytes JMP 53394A21 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[8140] ntdll.dll!NtWriteVirtualMemory 771E5B78 5 Bytes JMP 5DD61000 C:\Program Files\AVG\AVG2015\avghookx.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72E2250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72E22494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72E05624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72E056E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72E18573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72E14D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72E150CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72E151A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [72E166D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72E182CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72E18819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72E1907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72E1E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[2168] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72E14C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys Device \Driver\BTHUSB \Device\0000007b bthport.sys Device \Driver\BTHUSB \Device\0000007d bthport.sys ---- Threads - GMER 2.1 ---- Thread System [4:1152] 92F8DE50 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{5546CC1A-EC73-413C-BB29-D67B1257436A}\Connection@Name isatap.{AA56CCAF-E3D6-4EA3-99AB-692C7B7EE1E9} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CEDFA489-930B-470E-97DC-7830257480FD}\Connection@Name isatap.{82709D92-7C08-42C4-9781-E0B11949539A} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{3D052712-7AE1-4AAC-B98D-7E6614CB58E6}?\Device\{3637D0CC-E257-4513-8F00-303F4ADB88EF}?\Device\{EBC214DC-A40B-4570-9B93-4A295CE86893}?\Device\{5546CC1A-EC73-413C-BB29-D67B1257436A}?\Device\{CEDFA489-930B-470E-97DC-7830257480FD}?\Device\{6667B347-2F50-4B4C-9CCF-AE60E00C0A9E}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{3D052712-7AE1-4AAC-B98D-7E6614CB58E6}"?"{3637D0CC-E257-4513-8F00-303F4ADB88EF}"?"{EBC214DC-A40B-4570-9B93-4A295CE86893}"?"{5546CC1A-EC73-413C-BB29-D67B1257436A}"?"{CEDFA489-930B-470E-97DC-7830257480FD}"?"{6667B347-2F50-4B4C-9CCF-AE60E00C0A9E}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{3D052712-7AE1-4AAC-B98D-7E6614CB58E6}?\Device\TCPIP6TUNNEL_{3637D0CC-E257-4513-8F00-303F4ADB88EF}?\Device\TCPIP6TUNNEL_{EBC214DC-A40B-4570-9B93-4A295CE86893}?\Device\TCPIP6TUNNEL_{5546CC1A-EC73-413C-BB29-D67B1257436A}?\Device\TCPIP6TUNNEL_{CEDFA489-930B-470E-97DC-7830257480FD}?\Device\TCPIP6TUNNEL_{6667B347-2F50-4B4C-9CCF-AE60E00C0A9E}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4ceb42483c7a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4ceb42483c7a@d831cf5297ac 0x21 0xAF 0xE6 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5546CC1A-EC73-413C-BB29-D67B1257436A}@InterfaceName isatap.{AA56CCAF-E3D6-4EA3-99AB-692C7B7EE1E9} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5546CC1A-EC73-413C-BB29-D67B1257436A}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CEDFA489-930B-470E-97DC-7830257480FD}@InterfaceName isatap.{82709D92-7C08-42C4-9781-E0B11949539A} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CEDFA489-930B-470E-97DC-7830257480FD}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 32070 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7c9d4e0??????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4ceb42483c7a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4ceb42483c7a@d831cf5297ac 0x21 0xAF 0xE6 0x57 ... Reg HKLM\SYSTEM\ControlSet005\services\BTHPORT\Parameters\Keys\4ceb42483c7a (not active ControlSet) ---- EOF - GMER 2.1 ----