GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-04 17:39:18 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 TOSHIBA_MQ01ABD100 rev.AX1P2C 931,51GB Running: bg9dkvks.exe; Driver: C:\Users\HP\AppData\Local\Temp\pgldapob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [1964] entry point in ".rdata" section 0000000073903150 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [1964] entry point in ".rdata" section 00000000733dc940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [1964] entry point in ".rdata" section 0000000070918fc0 ? C:\WINDOWS\system32\apphelp.dll [1964] entry point in ".rdata" section 0000000070baf7c0 ? C:\WINDOWS\system32\apphelp.dll [2940] entry point in ".rdata" section 0000000070baf7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [1432] entry point in ".rdata" section 0000000070918fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1432] entry point in ".rdata" section 0000000073903150 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5768] entry point in ".rdata" section 0000000070918fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5880] entry point in ".rdata" section 0000000073903150 ? C:\WINDOWS\system32\apphelp.dll [5880] entry point in ".rdata" section 0000000070baf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5908] entry point in ".rdata" section 0000000073903150 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [5908] entry point in ".rdata" section 00000000733dc940 ? C:\WINDOWS\system32\apphelp.dll [5908] entry point in ".rdata" section 0000000070baf7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4852] entry point in ".rdata" section 0000000070918fc0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7fff035e62b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2596] entry point in ".rdata" section 0000000070918fc0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2404] entry point in ".rdata" section 0000000070918fc0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff1aa86260 16 bytes {MOV RAX, 0x7ff6d5a7f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff1aa86540 16 bytes {MOV RAX, 0x7ff6d5a7f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff1aa86580 16 bytes {MOV RAX, 0x7ff6d5a7fdd0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff1aa865a0 16 bytes {MOV RAX, 0x7ff6d5a7fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff1aa865c0 16 bytes {MOV RAX, 0x7ff6d5a7f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff1aa86600 16 bytes {MOV RAX, 0x7ff6d5a7f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff1aa866a0 16 bytes {MOV RAX, 0x7ff6d5a7fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff1aa866c0 16 bytes {MOV RAX, 0x7ff6d5a7fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff1aa86720 16 bytes {MOV RAX, 0x7ff6d5a7fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff1aa86860 16 bytes {MOV RAX, 0x7ff6d5a7fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff1aa86b60 16 bytes {MOV RAX, 0x7ff6d5a7fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff1aa883d0 16 bytes {MOV RAX, 0x7ff6d5a7fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff1aa88490 16 bytes {MOV RAX, 0x7ff6d5a7fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff1aa88730 16 bytes {MOV RAX, 0x7ff6d5a7fba0; JMP RAX} ? C:\WINDOWS\system32\apphelp.dll [6440] entry point in ".rdata" section 0000000070baf7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8816] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9144] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8992] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6404] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8868] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fff1a9c002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7fff1a9c006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7fff1a74002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffedf28e570] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [688:2272] ffff80060d336c20 Thread C:\Windows\System32\RuntimeBroker.exe [4896:3484] 00007ffee9de20e0 Thread C:\Windows\System32\RuntimeBroker.exe [4896:2432] 00007ffee9de20e0 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\drivers\80703498.sys (*** hidden *** ) [BOOT] 35464169 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO159E0_00_07DC_E6^D8A03C3FE36BD7F5A8BA9909FF48DF75@Timestamp 0xFD 0x51 0xA3 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb@DCSettingIndex 80 Reg HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder@List 35464169?System Reserved?EMS?WdfLoadGroup?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Virtualization?FSFilter Encryption?FSFilter Compression?FSFilter Imaging?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Streams Drivers?NDIS Wrapper?COM Infrastructure?Event Log?ProfSvc_Group?AudioGroup?UIGroup?MS_WindowsLocalValidation?PlugPlay?Cryptography?PNP_TDI?NDIS?TDI?iSCSI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?SmartCardGroup?NetworkProvider?MS_WindowsRemoteValida Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\WINDOWS\system32\drivers\49627521.sys??\??\C:\WINDOWS\system32\drivers\49627521.sys??\??\C:\WINDOWS\system32\drivers\74281517.sys??\??\C:\Users\HP\AppData\Local\Temp\{AC596B75-A0D4-4417-9D13-3428B7C26B60}\msvcr100.dll??\??\C:\Users\HP\AppData\Local\Temp\{AC596B75-A0D4-4417-9D13-3428B7C26B60}\{A9011742-6D49-4D9A-B82C-CF04428F87A5}.tmp??\??\C:\Users\HP\AppData\Local\Temp\{AC596B75-A0D4-4417-9D13-3428B7C26B60}??\??\C:\WINDOWS\system32\drivers\B0562BC4.sys??\??\C:\WINDOWS\system32\drivers\74281517.sys?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 726975563 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 175188237 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 175187571 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 175187571 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 175188131 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 515 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x43 0x3F 0xF5 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\35464169@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\35464169@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\35464169@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\35464169@ImagePath system32\drivers\80703498.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\35464169@Group 35464169 Reg HKLM\SYSTEM\CurrentControlSet\Services\35464169 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@1008 0x24 0x60 0x78 0xA4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\606dc7d979d2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{F114DB89-34DF-49B6-BEDF-850D0B727E6E}@DefunctTimestamp 0xD8 0xDD 0x09 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5042 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 453 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ec867241-6578-4be5-a28b-de6ea8e1d7df}@LeaseObtainedTime 1493820767 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ec867241-6578-4be5-a28b-de6ea8e1d7df}@T1 1493950367 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ec867241-6578-4be5-a28b-de6ea8e1d7df}@T2 1494047567 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ec867241-6578-4be5-a28b-de6ea8e1d7df}@LeaseTerminatesTime 1494079967 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x13 0x50 0x72 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x13 0xB8 0x36 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x13 0xE8 0xAD 0x19 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0x2C 0x9C 0x0B 0x25 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001330 39505 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001331 233627 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001332 39537 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001333 207115 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001334 0 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001335 0 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001336 41177 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001337 142958 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001338 38296 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001339 0 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00133f 33195 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001340 98621 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001349 0 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00134a 21252 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00134c 24323 bytes File C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00134e 223653 bytes ---- EOF - GMER 2.2 ----