Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Asus n50vn rootkit
Message
<blockquote data-quote="mario81" data-source="post: 311239" data-attributes="member: 31549"><p>GMER 2.1.19163 - <a href="http://www.gmer.net" target="_blank">http://www.gmer.net</a></p><p>Rootkit scan 2014-12-07 18:26:48</p><p>Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050KTA300 rev.BKFOC60G 465,76GB</p><p>Running: m57g1hli.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\pwriafoc.sys</p><p></p><p></p><p>---- User code sections - GMER 2.1 ----</p><p></p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000076526c3c 5 bytes JMP 000000010045b9d0</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000765335a4 5 bytes JMP 000000010045ba30</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000076534018 7 bytes JMP 000000010045b810</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000765340cf 7 bytes JMP 000000010045b8c0</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000076534162 5 bytes JMP 000000010045b990</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000076534234 5 bytes JMP 000000010045b850</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000765387a5 5 bytes JMP 000000010045b900</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000076538d3a 7 bytes JMP 000000010045b7d0</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000765390c4 5 bytes JMP 000000010045b880</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollRange 000000007654d50b 5 bytes JMP 000000010045b940</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076851465 2 bytes [85, 76]</p><p>.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768514bb 2 bytes [85, 76]</p><p>.text ... * 2</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7a90 13 bytes {MOV R11, 0x7fef8a8b0c0; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 00000000772e1370 13 bytes {MOV R11, 0x7feea7f6a68; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000772e1390 13 bytes {MOV R11, 0x7feea7f7c70; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1490 6 bytes {JMP QWORD [RIP+0x8e7eba0]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather 00000000772e14c0 13 bytes {MOV R11, 0x7feeadfadf8; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter 00000000772e15f0 13 bytes {MOV R11, 0x7feeadfad3c; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile 00000000772e17c0 13 bytes {MOV R11, 0x7feea99338c; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e1810 6 bytes {JMP QWORD [RIP+0x8e9e820]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772e1860 13 bytes {MOV R11, 0x7feea7f785c; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772e2470 13 bytes {MOV R11, 0x7feea7f67e0; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileW 00000000770792d0 6 bytes JMP 8d4d2024</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077089b70 13 bytes {MOV R11, 0x7feeab1ee50; JMP R11}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708e7b0 6 bytes JMP 0</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077091bb0 6 bytes JMP 60d0000</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000770c0d10 6 bytes {JMP QWORD [RIP+0x907f320]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileW 00000000770ff7f0 6 bytes JMP 0</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileA 00000000770ff950 6 bytes JMP 938</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077105620 6 bytes JMP 6</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 0000000077107b70 6 bytes JMP 8d0060</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077108840 6 bytes JMP 120</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!WinExec 0000000077108d80 6 bytes JMP 0</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd50a058 3 bytes CALL 32f50000</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007fefd99983c 6 bytes {JMP QWORD [RIP+0xf667f4]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd873b6c 2 bytes [FF, 25]</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3 000007fefd873b6f 3 bytes [C4, 4B, 01]</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]}</p><p>.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772e13e0 16 bytes [50, 48, B8, 54, BF, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1490 6 bytes JMP ec2b40b8</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772e1550 16 bytes [50, 48, B8, 78, BF, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772e1570 32 bytes [50, 48, B8, 40, C1, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772e1600 32 bytes [50, 48, B8, 9C, BF, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772e1640 16 bytes [50, 48, B8, 40, C0, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772e16e0 16 bytes [50, 48, B8, 74, C0, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e1810 6 bytes JMP 73e16e0</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772e1860 16 bytes [50, 48, B8, CC, BF, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772e22d0 16 bytes [50, 48, B8, 64, C1, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772e2320 16 bytes [50, 48, B8, 1C, C1, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772e2470 16 bytes [50, 48, B8, 88, C0, 03, 3F, ...]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileW 00000000770792d0 6 bytes JMP 0</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708e7b0 6 bytes JMP ec2b0b70</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077091bb0 6 bytes JMP 0</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000770c0d10 6 bytes JMP 907e6f0</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileW 00000000770ff7f0 6 bytes JMP 8f9ec80</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileA 00000000770ff950 6 bytes JMP ec2b40b8</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077105620 6 bytes JMP 8ffaa28</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 0000000077107b70 6 bytes JMP 6d0065</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077108840 6 bytes JMP 6d0075</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!WinExec 0000000077108d80 6 bytes JMP eccdfff8</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd50a058 3 bytes [B2, 5F, 06]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd873b6c 2 bytes [FF, 25]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3 000007fefd873b6f 3 bytes [C4, 4B, 01]</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]}</p><p>.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]}</p><p></p><p>---- Registry - GMER 2.1 ----</p><p></p><p>Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{30290E5E-2966-4B51-A598-09BC403E4AE1}\Connection@Name isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB}</p><p>Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{438839EC-1992-453E-9190-63067853E229}?\Device\{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}?</p><p>Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{438839EC-1992-453E-9190-63067853E229}"?"{30290E5E-2966-4B51-A598-09BC403E4AE1}"?"{8D5A3030-F062-46DD-BF61-3603F2F15F7F}"?"{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}"?"{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}"?</p><p>Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{438839EC-1992-453E-9190-63067853E229}?\Device\TCPIP6TUNNEL_{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\TCPIP6TUNNEL_{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\TCPIP6TUNNEL_{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\TCPIP6TUNNEL_{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}?</p><p>Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@InterfaceName isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB}</p><p>Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@ReusableType 0</p><p>Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 391</p><p>Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 104</p><p></p><p>---- EOF - GMER 2.1 ----</p><p></p><p>Pleae tell me what is a problem.</p></blockquote><p></p>
[QUOTE="mario81, post: 311239, member: 31549"] GMER 2.1.19163 - [url]http://www.gmer.net[/url] Rootkit scan 2014-12-07 18:26:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050KTA300 rev.BKFOC60G 465,76GB Running: m57g1hli.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\pwriafoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000076526c3c 5 bytes JMP 000000010045b9d0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000765335a4 5 bytes JMP 000000010045ba30 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000076534018 7 bytes JMP 000000010045b810 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000765340cf 7 bytes JMP 000000010045b8c0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000076534162 5 bytes JMP 000000010045b990 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000076534234 5 bytes JMP 000000010045b850 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000765387a5 5 bytes JMP 000000010045b900 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000076538d3a 7 bytes JMP 000000010045b7d0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000765390c4 5 bytes JMP 000000010045b880 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollRange 000000007654d50b 5 bytes JMP 000000010045b940 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076851465 2 bytes [85, 76] .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768514bb 2 bytes [85, 76] .text ... * 2 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7a90 13 bytes {MOV R11, 0x7fef8a8b0c0; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 00000000772e1370 13 bytes {MOV R11, 0x7feea7f6a68; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000772e1390 13 bytes {MOV R11, 0x7feea7f7c70; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1490 6 bytes {JMP QWORD [RIP+0x8e7eba0]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather 00000000772e14c0 13 bytes {MOV R11, 0x7feeadfadf8; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter 00000000772e15f0 13 bytes {MOV R11, 0x7feeadfad3c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile 00000000772e17c0 13 bytes {MOV R11, 0x7feea99338c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e1810 6 bytes {JMP QWORD [RIP+0x8e9e820]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772e1860 13 bytes {MOV R11, 0x7feea7f785c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772e2470 13 bytes {MOV R11, 0x7feea7f67e0; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileW 00000000770792d0 6 bytes JMP 8d4d2024 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077089b70 13 bytes {MOV R11, 0x7feeab1ee50; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708e7b0 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077091bb0 6 bytes JMP 60d0000 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000770c0d10 6 bytes {JMP QWORD [RIP+0x907f320]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileW 00000000770ff7f0 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileA 00000000770ff950 6 bytes JMP 938 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077105620 6 bytes JMP 6 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 0000000077107b70 6 bytes JMP 8d0060 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077108840 6 bytes JMP 120 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!WinExec 0000000077108d80 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd50a058 3 bytes CALL 32f50000 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007fefd99983c 6 bytes {JMP QWORD [RIP+0xf667f4]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd873b6c 2 bytes [FF, 25] .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3 000007fefd873b6f 3 bytes [C4, 4B, 01] .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772e13e0 16 bytes [50, 48, B8, 54, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1490 6 bytes JMP ec2b40b8 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772e1550 16 bytes [50, 48, B8, 78, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772e1570 32 bytes [50, 48, B8, 40, C1, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772e1600 32 bytes [50, 48, B8, 9C, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772e1640 16 bytes [50, 48, B8, 40, C0, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772e16e0 16 bytes [50, 48, B8, 74, C0, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e1810 6 bytes JMP 73e16e0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772e1860 16 bytes [50, 48, B8, CC, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772e22d0 16 bytes [50, 48, B8, 64, C1, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772e2320 16 bytes [50, 48, B8, 1C, C1, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772e2470 16 bytes [50, 48, B8, 88, C0, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileW 00000000770792d0 6 bytes JMP 0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708e7b0 6 bytes JMP ec2b0b70 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077091bb0 6 bytes JMP 0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000770c0d10 6 bytes JMP 907e6f0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileW 00000000770ff7f0 6 bytes JMP 8f9ec80 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileA 00000000770ff950 6 bytes JMP ec2b40b8 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077105620 6 bytes JMP 8ffaa28 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 0000000077107b70 6 bytes JMP 6d0065 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077108840 6 bytes JMP 6d0075 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!WinExec 0000000077108d80 6 bytes JMP eccdfff8 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd50a058 3 bytes [B2, 5F, 06] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd873b6c 2 bytes [FF, 25] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3 000007fefd873b6f 3 bytes [C4, 4B, 01] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]} ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{30290E5E-2966-4B51-A598-09BC403E4AE1}\Connection@Name isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{438839EC-1992-453E-9190-63067853E229}?\Device\{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{438839EC-1992-453E-9190-63067853E229}"?"{30290E5E-2966-4B51-A598-09BC403E4AE1}"?"{8D5A3030-F062-46DD-BF61-3603F2F15F7F}"?"{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}"?"{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{438839EC-1992-453E-9190-63067853E229}?\Device\TCPIP6TUNNEL_{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\TCPIP6TUNNEL_{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\TCPIP6TUNNEL_{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\TCPIP6TUNNEL_{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@InterfaceName isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 391 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 104 ---- EOF - GMER 2.1 ---- Pleae tell me what is a problem. [/QUOTE]
Insert quotes…
Verification
Post reply
Top