GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-01-07 21:13:49 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS542525K9SA00 rev.BBFOC3BP Running: gmer.exe; Driver: C:\Users\CHEEWE~1\AppData\Local\Temp\kwdiafow.sys ---- System - GMER 1.0.15 ---- SSDT 89B4D940 ZwAlertResumeThread SSDT 89BDE808 ZwAlertThread SSDT 89B1C478 ZwAllocateVirtualMemory SSDT 89A6B6D8 ZwConnectPort SSDT 89B4D690 ZwCreateMutant SSDT 89BDE6F8 ZwCreateThread SSDT 868EF948 ZwFreeVirtualMemory SSDT 89B4D780 ZwImpersonateAnonymousToken SSDT 89B4D860 ZwImpersonateThread SSDT 89AD7518 ZwMapViewOfSection SSDT 89B4D5B0 ZwOpenEvent SSDT 89B1C548 ZwOpenProcessToken SSDT 89AD72E0 ZwOpenThreadToken SSDT \??\C:\Windows\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x955C1880] SSDT 89B1CB58 ZwResumeThread SSDT 89AD7200 ZwSetContextThread SSDT 89AD73D0 ZwSetInformationProcess SSDT 89BDEB30 ZwSetInformationThread SSDT 89B4D4D0 ZwSuspendProcess SSDT 89BDE950 ZwSuspendThread SSDT 858B69D0 ZwTerminateProcess SSDT 89BDEA30 ZwTerminateThread SSDT 89AD74A0 ZwUnmapViewOfSection SSDT 868EFA18 ZwWriteVirtualMemory INT 0x52 ? 868FEBF8 INT 0x62 ? 868FEBF8 INT 0x72 ? 84953BF8 INT 0x82 ? 84953BF8 INT 0xA2 ? 868FEBF8 INT 0xA2 ? 868FEBF8 INT 0xA2 ? 868FEBF8 INT 0xB2 ? 868FEBF8 INT 0xB3 ? 868FEBF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 11D 822F78A0 8 Bytes [40, D9, B4, 89, 08, E8, BD, ...] {INC EAX; FNSTENV [ECX+ECX*4-0x764217f8]} .text ntkrnlpa.exe!KeSetEvent + 131 822F78B4 4 Bytes [78, C4, B1, 89] {JS 0xffffffffffffffc6; MOV CL, 0x89} .text ntkrnlpa.exe!KeSetEvent + 1C1 822F7944 4 Bytes [D8, B6, A6, 89] .text ntkrnlpa.exe!KeSetEvent + 1F5 822F7978 4 Bytes [90, D6, B4, 89] {NOP ; SALC ; MOV AH, 0x89} .text ntkrnlpa.exe!KeSetEvent + 221 822F79A4 4 Bytes [F8, E6, BD, 89] .text ... ? System32\Drivers\splz.sys The system cannot find the path specified. ! .text USBPORT.SYS!DllUnload 8F8F241B 3 Bytes JMP 868FE1D8 .text USBPORT.SYS!DllUnload + 4 8F8F241F 1 Byte [F7] .text a1higda0.SYS 8FDB3000 22 Bytes [82, F3, 21, 82, 6C, F2, 21, ...] .text a1higda0.SYS 8FDB3017 137 Bytes [00, 32, 97, 78, 80, 3D, 95, ...] .text a1higda0.SYS 8FDB30A1 43 Bytes [40, 2F, 82, 74, 36, 29, 82, ...] .text a1higda0.SYS 8FDB30CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX} .text a1higda0.SYS 8FDB30DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...] .text ... .text tdx.sys 955A7000 46 Bytes [00, 00, 00, 00, 00, 00, 8B, ...] .text tdx.sys 955A702F 83 Bytes [FF, 55, 8B, EC, 8B, 45, 1C, ...] .text tdx.sys 955A7083 31 Bytes [15, 84, 71, 5B, 95, 83, C4, ...] .text tdx.sys 955A70A3 162 Bytes [75, 1C, 8D, 45, 20, 6A, 02, ...] .text tdx.sys 955A7146 30 Bytes [FF, 75, 08, FF, 15, 84, 71, ...] .text ... ? C:\Windows\system32\DRIVERS\tdx.sys suspicious PE modification ? C:\Users\CHEEWE~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 77BD4B84 5 Bytes JMP 00DB000A .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 77BD54C4 5 Bytes JMP 0104000A .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!KiUserExceptionDispatcher 77BD5BF8 5 Bytes JMP 00D9000A .text C:\Program Files\Internet Explorer\iexplore.exe[4052] kernel32.dll!CreateThread 7715CB2E 5 Bytes JMP 6E2B7303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CreateDialogParamW 774B72A2 5 Bytes JMP 6E446628 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!GetAsyncKeyState 774B863C 5 Bytes JMP 6E29DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!SetWindowsHookExW 774B87AD 5 Bytes JMP 6E2F2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CallNextHookEx 774B8E3B 5 Bytes JMP 6E317BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!UnhookWindowsHookEx 774B98DB 5 Bytes JMP 6E33EB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!EnableWindow 774BCD8B 5 Bytes JMP 6E2F9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DefWindowProcA 774BDB88 7 Bytes JMP 6E2B952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CreateWindowExA 774BDC2A 5 Bytes JMP 6E2C3363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CreateWindowExW 774C1305 5 Bytes JMP 6E31FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!GetKeyState 774C8CB1 5 Bytes JMP 6E29DC67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DefWindowProcW 774D03B4 7 Bytes JMP 6E317C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!IsDialogMessageW 774D0745 5 Bytes JMP 6E446D82 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CreateDialogParamA 774D17AA 5 Bytes JMP 6E4465F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!IsDialogMessage 774D1847 2 Bytes JMP 6E446D5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!IsDialogMessage + 3 774D184A 2 Bytes [F7, F6] {DIV ESI} .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CreateDialogIndirectParamA 774D26F1 5 Bytes JMP 6E446660 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!CreateDialogIndirectParamW 774D9A62 5 Bytes JMP 6E446698 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!SetKeyboardState 774E0987 5 Bytes JMP 6E447649 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxParamW 774E10B0 5 Bytes JMP 6E25170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxIndirectParamW 774E2EF5 5 Bytes JMP 6E4462BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!SendInput 774E2F75 5 Bytes JMP 6E4475F1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!EndDialog 774E326E 5 Bytes JMP 6E44702E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!SetCursorPos 774F6FB2 5 Bytes JMP 6E4476CA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxParamA 774F8152 5 Bytes JMP 6E446259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxIndirectParamA 774F847D 5 Bytes JMP 6E446323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxIndirectA 7750D4D9 5 Bytes JMP 6E4461E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxIndirectW 7750D5D3 5 Bytes JMP 6E446167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxExA 7750D639 5 Bytes JMP 6E446103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxExW 7750D65D 5 Bytes JMP 6E44609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!keybd_event 7750D972 5 Bytes JMP 6E4475AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4052] SHELL32.dll!SHRestricted + D95 762B89A8 4 Bytes [CF, 01, EF, 66] .text C:\Program Files\Internet Explorer\iexplore.exe[4052] SHELL32.dll!SHRestricted + D9D 762B89B0 8 Bytes [E0, 61, EE, 66, 79, F7, EE, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4052] ole32.dll!OleLoadFromStream 76E91E80 5 Bytes JMP 6E446A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!EnableWindow 774BCD8B 5 Bytes JMP 6E2F9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!DialogBoxParamW 774E10B0 5 Bytes JMP 6E25170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!DialogBoxIndirectParamW 774E2EF5 5 Bytes JMP 6E4462BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!DialogBoxParamA 774F8152 5 Bytes JMP 6E446259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!DialogBoxIndirectParamA 774F847D 5 Bytes JMP 6E446323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!MessageBoxIndirectA 7750D4D9 5 Bytes JMP 6E4461E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!MessageBoxIndirectW 7750D5D3 5 Bytes JMP 6E446167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!MessageBoxExA 7750D639 5 Bytes JMP 6E446103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5476] USER32.dll!MessageBoxExW 7750D65D 5 Bytes JMP 6E44609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] kernel32.dll!CreateThread 7715CB2E 5 Bytes JMP 6E2B7303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CreateDialogParamW 774B72A2 5 Bytes JMP 6E446628 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!GetAsyncKeyState 774B863C 5 Bytes JMP 6E29DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!SetWindowsHookExW 774B87AD 5 Bytes JMP 6E2F2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CallNextHookEx 774B8E3B 5 Bytes JMP 6E317BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!UnhookWindowsHookEx 774B98DB 5 Bytes JMP 6E33EB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!EnableWindow 774BCD8B 5 Bytes JMP 6E2F9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!DefWindowProcA 774BDB88 7 Bytes JMP 6E2B952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CreateWindowExA 774BDC2A 5 Bytes JMP 6E2C3363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CreateWindowExW 774C1305 5 Bytes JMP 6E31FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!GetKeyState 774C8CB1 5 Bytes JMP 6E29DC67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!DefWindowProcW 774D03B4 7 Bytes JMP 6E317C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!IsDialogMessageW 774D0745 5 Bytes JMP 6E446D82 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CreateDialogParamA 774D17AA 5 Bytes JMP 6E4465F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!IsDialogMessage 774D1847 2 Bytes JMP 6E446D5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!IsDialogMessage + 3 774D184A 2 Bytes [F7, F6] {DIV ESI} .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CreateDialogIndirectParamA 774D26F1 5 Bytes JMP 6E446660 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!CreateDialogIndirectParamW 774D9A62 5 Bytes JMP 6E446698 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!SetKeyboardState 774E0987 5 Bytes JMP 6E447649 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!DialogBoxParamW 774E10B0 5 Bytes JMP 6E25170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!DialogBoxIndirectParamW 774E2EF5 5 Bytes JMP 6E4462BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!SendInput 774E2F75 5 Bytes JMP 6E4475F1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!EndDialog 774E326E 5 Bytes JMP 6E44702E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!SetCursorPos 774F6FB2 5 Bytes JMP 6E4476CA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!DialogBoxParamA 774F8152 5 Bytes JMP 6E446259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!DialogBoxIndirectParamA 774F847D 5 Bytes JMP 6E446323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!MessageBoxIndirectA 7750D4D9 5 Bytes JMP 6E4461E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!MessageBoxIndirectW 7750D5D3 5 Bytes JMP 6E446167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!MessageBoxExA 7750D639 5 Bytes JMP 6E446103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!MessageBoxExW 7750D65D 5 Bytes JMP 6E44609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] USER32.dll!keybd_event 7750D972 5 Bytes JMP 6E4475AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5524] SHELL32.dll!SHRestricted + D95 762B89A8 4 Bytes [CF, 01, EF, 66] .text C:\Program Files\Internet Explorer\iexplore.exe[5524] SHELL32.dll!SHRestricted + D9D 762B89B0 8 Bytes [E0, 61, EE, 66, 79, F7, EE, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5524] ole32.dll!OleLoadFromStream 76E91E80 5 Bytes JMP 6E446A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] kernel32.dll!CreateThread 7715CB2E 5 Bytes JMP 6E2B7303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CreateDialogParamW 774B72A2 5 Bytes JMP 6E446628 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!GetAsyncKeyState 774B863C 5 Bytes JMP 6E29DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!SetWindowsHookExW 774B87AD 5 Bytes JMP 6E2F2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CallNextHookEx 774B8E3B 5 Bytes JMP 6E317BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!UnhookWindowsHookEx 774B98DB 5 Bytes JMP 6E33EB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!EnableWindow 774BCD8B 5 Bytes JMP 6E2F9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!DefWindowProcA 774BDB88 7 Bytes JMP 6E2B952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CreateWindowExA 774BDC2A 5 Bytes JMP 6E2C3363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CreateWindowExW 774C1305 5 Bytes JMP 6E31FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!GetKeyState 774C8CB1 5 Bytes JMP 6E29DC67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!DefWindowProcW 774D03B4 7 Bytes JMP 6E317C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!IsDialogMessageW 774D0745 5 Bytes JMP 6E446D82 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CreateDialogParamA 774D17AA 5 Bytes JMP 6E4465F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!IsDialogMessage 774D1847 2 Bytes JMP 6E446D5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!IsDialogMessage + 3 774D184A 2 Bytes [F7, F6] {DIV ESI} .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CreateDialogIndirectParamA 774D26F1 5 Bytes JMP 6E446660 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!CreateDialogIndirectParamW 774D9A62 5 Bytes JMP 6E446698 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!SetKeyboardState 774E0987 5 Bytes JMP 6E447649 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!DialogBoxParamW 774E10B0 5 Bytes JMP 6E25170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!DialogBoxIndirectParamW 774E2EF5 5 Bytes JMP 6E4462BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!SendInput 774E2F75 5 Bytes JMP 6E4475F1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!EndDialog 774E326E 5 Bytes JMP 6E44702E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!SetCursorPos 774F6FB2 5 Bytes JMP 6E4476CA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!DialogBoxParamA 774F8152 5 Bytes JMP 6E446259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!DialogBoxIndirectParamA 774F847D 5 Bytes JMP 6E446323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!MessageBoxIndirectA 7750D4D9 5 Bytes JMP 6E4461E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!MessageBoxIndirectW 7750D5D3 5 Bytes JMP 6E446167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!MessageBoxExA 7750D639 5 Bytes JMP 6E446103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!MessageBoxExW 7750D65D 5 Bytes JMP 6E44609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] USER32.dll!keybd_event 7750D972 5 Bytes JMP 6E4475AE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5968] SHELL32.dll!SHRestricted + D95 762B89A8 4 Bytes [CF, 01, EF, 66] .text C:\Program Files\Internet Explorer\iexplore.exe[5968] SHELL32.dll!SHRestricted + D9D 762B89B0 8 Bytes [E0, 61, EE, 66, 79, F7, EE, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5968] ole32.dll!OleLoadFromStream 76E91E80 5 Bytes JMP 6E446A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 857151F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 849551F8 Device \Driver\usbuhci \Device\USBPDO-0 869181F8 Device \Driver\sptd \Device\4197792535 splz.sys Device \Driver\usbuhci \Device\USBPDO-1 869181F8 Device \Driver\usbehci \Device\USBPDO-2 869211F8 Device \Driver\usbuhci \Device\USBPDO-3 869181F8 Device \Driver\usbuhci \Device\USBPDO-4 869181F8 Device \Driver\tdx \Device\Tcp [955B1E58] \SystemRoot\system32\DRIVERS\tdx.sys[.data] Device \Driver\usbuhci \Device\USBPDO-5 869181F8 Device \Driver\usbehci \Device\USBPDO-6 869211F8 Device \Driver\volmgr \Device\HarddiskVolume1 849551F8 Device \Driver\volmgr \Device\HarddiskVolume2 849551F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 857141F8 Device \Driver\atapi \Device\Ide\IdePort0 857141F8 Device \Driver\atapi \Device\Ide\IdePort1 857141F8 Device \Driver\volmgr \Device\HarddiskVolume3 849551F8 Device \Driver\volmgr \Device\HarddiskVolume4 849551F8 Device \Driver\volmgr \Device\HarddiskVolume5 849551F8 Device \Driver\BTHUSB \Device\00000081 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000083 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation) Device \Driver\iScsiPrt \Device\RaidPort0 869B01F8 Device \Driver\tdx \Device\Udp [955B1E58] \SystemRoot\system32\DRIVERS\tdx.sys[.data] Device \Driver\PCI_PNP4522 \Device\0000005d splz.sys Device \Driver\tdx \Device\RawIp [955B1E58] \SystemRoot\system32\DRIVERS\tdx.sys[.data] Device \Driver\usbuhci \Device\USBFDO-0 869181F8 Device \Driver\usbuhci \Device\USBFDO-1 869181F8 Device \Driver\usbehci \Device\USBFDO-2 869211F8 Device \Driver\usbuhci \Device\USBFDO-3 869181F8 Device \Driver\usbuhci \Device\USBFDO-4 869181F8 Device \Driver\usbuhci \Device\USBFDO-5 869181F8 Device \Driver\usbehci \Device\USBFDO-6 869211F8 Device \Driver\a1higda0 \Device\Scsi\a1higda01 869091F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bfb57dc1e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e3da51a97 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x54 0x02 0xA1 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE4 0xFF 0x26 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9C 0xC4 0x0E 0x05 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bfb57dc1e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e3da51a97 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x67 0xA0 0xA0 0xAF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE4 0xFF 0x26 0x72 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9C 0xC4 0x0E 0x05 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB53746$\2520467401 0 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\@ 2048 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\bckfg.tmp 870 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\cfg.ini 176 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\keywords 399 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\kwrd.dll 223744 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\L 0 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\L\qnbwvoto 72192 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U 0 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U\00000001.@ 2048 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U\80000000.@ 11264 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U\80000004.@ 12800 bytes File C:\Windows\$NtUninstallKB53746$\2520467401\U\80000032.@ 77312 bytes File C:\Windows\$NtUninstallKB53746$\515653912 0 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VU0IP9YJ\tap[4].gif 49 bytes File C:\Windows\Temp\fla238C.tmp 0 bytes ---- EOF - GMER 1.0.15 ----