GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-03 13:42:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000080 ATA_____ rev.AF10 465,76GB Running: ndo7bptn.exe; Driver: C:\Users\Angela\AppData\Local\Temp\pgddipoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076df1401 2 bytes JMP 759fb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076df1419 2 bytes JMP 759fb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076df1431 2 bytes JMP 75a79149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076df144a 2 bytes CALL 759d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076df14dd 2 bytes JMP 75a78a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076df14f5 2 bytes JMP 75a78c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076df150d 2 bytes JMP 75a78938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076df1525 2 bytes JMP 75a78d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076df153d 2 bytes JMP 759efcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076df1555 2 bytes JMP 759f6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076df156d 2 bytes JMP 75a79201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076df1585 2 bytes JMP 75a78d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076df159d 2 bytes JMP 75a788fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076df15b5 2 bytes JMP 759efd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076df15cd 2 bytes JMP 759fb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076df16b2 2 bytes JMP 75a790c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Easy Settings\CmdServer\EasySettingsCmdServer.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076df16bd 2 bytes JMP 75a78891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791bfb0 14 bytes {MOV RAX, 0x7fee77c64e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791be00 7 bytes [48, B8, 60, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007791be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007791bf70 7 bytes [48, B8, E0, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007791bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007791bf90 7 bytes [48, B8, D0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007791bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007791bfa0 7 bytes [48, B8, C0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007791bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791bfb0 7 bytes [48, B8, 40, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007791bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007791bfd0 7 bytes [48, B8, B0, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007791bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007791c020 7 bytes [48, B8, 50, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007791c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007791c030 7 bytes [48, B8, 20, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007791c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007791c060 7 bytes [48, B8, 40, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007791c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007791c100 7 bytes [48, B8, 80, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007791c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007791c280 7 bytes [48, B8, C0, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007791c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007791ccf0 7 bytes [48, B8, 00, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007791ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007791cd40 7 bytes [48, B8, A0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007791cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007791ce90 7 bytes [48, B8, A0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007791ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791be00 7 bytes [48, B8, 60, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007791be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007791bf70 7 bytes [48, B8, E0, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007791bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007791bf90 7 bytes [48, B8, D0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007791bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007791bfa0 7 bytes [48, B8, C0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007791bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791bfb0 7 bytes [48, B8, 40, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007791bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007791bfd0 7 bytes [48, B8, B0, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007791bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007791c020 7 bytes [48, B8, 50, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007791c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007791c030 7 bytes [48, B8, 20, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007791c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007791c060 7 bytes [48, B8, 40, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007791c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007791c100 7 bytes [48, B8, 80, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007791c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007791c280 7 bytes [48, B8, C0, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007791c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007791ccf0 7 bytes [48, B8, 00, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007791ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007791cd40 7 bytes [48, B8, A0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007791cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007791ce90 7 bytes [48, B8, A0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007791ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791be00 7 bytes [48, B8, 60, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007791be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007791bf70 7 bytes [48, B8, E0, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007791bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007791bf90 7 bytes [48, B8, D0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007791bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007791bfa0 7 bytes [48, B8, C0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007791bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791bfb0 7 bytes [48, B8, 40, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007791bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007791bfd0 7 bytes [48, B8, B0, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007791bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007791c020 7 bytes [48, B8, 50, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007791c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007791c030 7 bytes [48, B8, 20, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007791c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007791c060 7 bytes [48, B8, 40, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007791c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007791c100 7 bytes [48, B8, 80, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007791c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007791c280 7 bytes [48, B8, C0, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007791c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007791ccf0 7 bytes [48, B8, 00, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007791ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007791cd40 7 bytes [48, B8, A0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007791cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007791ce90 7 bytes [48, B8, A0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007791ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791be00 7 bytes [48, B8, 60, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007791be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007791bf70 7 bytes [48, B8, E0, 0D, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007791bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007791bf90 7 bytes [48, B8, D0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007791bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007791bfa0 7 bytes [48, B8, C0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007791bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791bfb0 7 bytes [48, B8, 40, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007791bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007791bfd0 7 bytes [48, B8, B0, 0C, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007791bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007791c020 7 bytes [48, B8, 50, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007791c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007791c030 7 bytes [48, B8, 20, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007791c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007791c060 7 bytes [48, B8, 40, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007791c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007791c100 7 bytes [48, B8, 80, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007791c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007791c280 7 bytes [48, B8, C0, 0E, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007791c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007791ccf0 7 bytes [48, B8, 00, 12, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007791ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007791cd40 7 bytes [48, B8, A0, 11, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007791cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007791ce90 7 bytes [48, B8, A0, 0F, 3C, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007791ce98 6 bytes {ADD [RAX], AL; JMP RAX} ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001099e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001099c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109a654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109aa50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109a8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee265e9c0] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee265e23c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee265e9a8] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee265ec08] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3856] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee179bd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee265e9c0] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee265e23c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee265e9a8] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee265ec08] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4248] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee179bd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee265e9c0] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee265e23c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee265e9a8] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee265ec08] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3408] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee179bd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs fffffa8005c5b2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80086b52c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa8005c572c0 Device \Driver\iaStorA \Device\00000080 fffffa8005c572c0 Device \Driver\cdrom \Device\CdRom0 fffffa800834a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{14518D63-BDAE-4E92-B5FD-F8606390E23A} fffffa80081842c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80086b52c0 Device \Driver\iaStorA \Device\00000081 fffffa8005c572c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80086b52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{06819027-2437-4A54-9329-FA3B632BE5B1} fffffa80081842c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DB241F96-D1C5-4A9E-8CB7-DDBD011F6817} fffffa80081842c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80081842c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa8005c572c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80086b52c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa8005c572c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa8005c572c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007fed790] fffffa8007fed790 Trace 3 CLASSPNP.SYS[fffff88001c9743f] -> nt!IofCallDriver -> [0xfffffa8007efaa30] fffffa8007efaa30 Trace 5 iaStorF.sys[fffff88001864168] -> nt!IofCallDriver -> \Device\00000080[0xfffffa800613b9c0] fffffa800613b9c0 Trace \Driver\iaStorA[0xfffffa8005fa2060] -> IRP_MJ_CREATE -> 0xfffffa8005c572c0 fffffa8005c572c0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971770bef Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971770bef (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pav3wsc.exe_dfdbb957f8ed6aa895c3e9d3cabec46bba35463_0a73ac84 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x30 0x00 0x34 0x00 ... ---- Files - GMER 2.2 ---- File C:\Users\Angela\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0038c5 355526 bytes File C:\Users\Angela\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0038c6 741097 bytes File C:\Users\Angela\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000483.log 0 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pav3wsc.exe_dfdbb957f8ed6aa895c3e9d3cabec46bba35463_0d5d4b04 0 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pav3wsc.exe_dfdbb957f8ed6aa895c3e9d3cabec46bba35463_0d5d4b04\Report.wer 8894 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pav3wsc.exe_dfdbb957f8ed6aa895c3e9d3cabec46bba35463_0ed50d0b 0 bytes ---- EOF - GMER 2.2 ----