GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-04 13:12:56 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\00000074 ATA_____ rev.LVD3 931,51GB Running: 76j1j5po.exe; Driver: C:\Users\Aga\AppData\Local\Temp\uxriapow.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8327E579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832A2F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, A4, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, A7, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, A4, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, A5, 33, 00] {TEST AL, 0xa5; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, A6, 33, 00] {TEST AL, 0xa6; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, A5, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, A6, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, A4, 33, 00] {TEST AL, 0xa4; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, A5, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, A6, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, A7, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1380] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, D8, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, DB, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, D8, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, D9, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, DA, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, D9, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, DA, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, D8, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, D9, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, DA, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, DB, 4C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1560] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavSvc.exe[1748] ntdll.dll!LdrLoadDll 77B7F585 6 Bytes JMP 71AF000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavSvc.exe[1748] kernel32.dll!SetUnhandledExceptionFilter 761A3142 8 Bytes [33, C0, 90, 90, C2, 04, 00, ...] {XOR EAX, EAX; NOP ; NOP ; RET 0x4; NOP } .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateProcessW 7615202D 6 Bytes JMP 71AE000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] ntdll.dll!LdrLoadDll 77B7F585 6 Bytes JMP 71AF000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] kernel32.dll!SetUnhandledExceptionFilter 761A3142 8 Bytes [33, C0, 90, 90, C2, 04, 00, ...] {XOR EAX, EAX; NOP ; NOP ; RET 0x4; NOP } .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!SetScrollRange 7602AE3C 5 Bytes JMP 6DD9B990 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!GetScrollInfo 76035151 7 Bytes JMP 6DD9B740 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!SetScrollInfo 76036632 7 Bytes JMP 6DD9B560 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!GetScrollRange 76051B6C 5 Bytes JMP 6DD9BAE0 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!SetScrollPos 76051BD0 5 Bytes JMP 6DD9B810 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!GetScrollPos 7605252B 5 Bytes JMP 6DD9B910 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!EnableScrollBar 7605386D 7 Bytes JMP 6DD9BBE0 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavTray.exe[2012] USER32.dll!ShowScrollBar 76055785 5 Bytes JMP 6DD9BBA0 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BHipsSvc.exe[2328] ntdll.dll!LdrLoadDll 77B7F585 6 Bytes JMP 71AF000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BHipsSvc.exe[2328] kernel32.dll!SetUnhandledExceptionFilter 761A3142 8 Bytes [33, C0, 90, 90, C2, 04, 00, ...] {XOR EAX, EAX; NOP ; NOP ; RET 0x4; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, 2C, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, 2F, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, 2C, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, 2D, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, 2E, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, 2D, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, 2E, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, 2C, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, 2D, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, 2E, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, 2F, 5D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3496] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4228] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4228] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, A4, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, A7, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, A4, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, A5, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, A6, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, A5, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, A6, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, A4, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, A5, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, A6, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, A7, 41, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4780] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, 1C, 0A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, 1F, 0A, 00] {SUB [EDI], BL; OR AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, 1C, 0A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, 1D, 0A, 00] {TEST AL, 0x1d; OR AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, 1E, 0A, 00] {TEST AL, 0x1e; OR AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, 1D, 0A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, 1E, 0A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, 1C, 0A, 00] {TEST AL, 0x1c; OR AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, 1D, 0A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, 1E, 0A, 00] {SUB [ESI], BL; OR AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, 1F, 0A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5636] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, 38, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, 3B, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, 38, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, 39, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, 3A, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, 39, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, 3A, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, 38, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, 39, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, 3A, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, 3B, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6708] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[7160] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [18, B0, D1, 66] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7160] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7160] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[7160] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] ntdll.dll!LdrLoadDll 77B7F585 6 Bytes JMP 71AF000A .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] kernel32.dll!SetUnhandledExceptionFilter 761A3142 8 Bytes [33, C0, 90, 90, C2, 04, 00, ...] {XOR EAX, EAX; NOP ; NOP ; RET 0x4; NOP } .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!SetScrollRange 7602AE3C 5 Bytes JMP 6DD9B990 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!GetScrollInfo 76035151 7 Bytes JMP 6DD9B740 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!SetScrollInfo 76036632 7 Bytes JMP 6DD9B560 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!GetScrollRange 76051B6C 5 Bytes JMP 6DD9BAE0 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!SetScrollPos 76051BD0 5 Bytes JMP 6DD9B810 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!GetScrollPos 7605252B 5 Bytes JMP 6DD9B910 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!EnableScrollBar 7605386D 7 Bytes JMP 6DD9BBE0 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\BavUpdater.exe[7988] USER32.dll!ShowScrollBar 76055785 5 Bytes JMP 6DD9BBA0 C:\Program Files\Baidu Security\Baidu Antivirus\5.4.3.148966.0\DirectUI.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtCreateFile + 6 77B64A16 4 Bytes [28, 58, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtCreateFile + B 77B64A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtMapViewOfSection + 6 77B65076 4 Bytes [28, 5B, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtMapViewOfSection + B 77B6507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenFile + 6 77B65126 4 Bytes [68, 58, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenFile + B 77B6512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenProcess + 6 77B651D6 4 Bytes [A8, 59, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenProcess + B 77B651DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenProcessToken + B 77B651EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenProcessTokenEx + 6 77B651F6 4 Bytes [A8, 5A, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenProcessTokenEx + B 77B651FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenThread + 6 77B65256 4 Bytes [68, 59, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenThread + B 77B6525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenThreadToken + 6 77B65266 4 Bytes [68, 5A, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenThreadToken + B 77B6526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtOpenThreadTokenEx + B 77B6527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtQueryAttributesFile + 6 77B65386 4 Bytes [A8, 58, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtQueryAttributesFile + B 77B6538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtQueryFullAttributesFile + B 77B6543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtSetInformationFile + 6 77B65A86 4 Bytes [28, 59, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtSetInformationFile + B 77B65A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtSetInformationThread + 6 77B65AE6 4 Bytes [28, 5A, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtSetInformationThread + B 77B65AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtUnmapViewOfSection + 6 77B65E06 4 Bytes [68, 5B, CF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] ntdll.dll!NtUnmapViewOfSection + B 77B65E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[8220] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[8968] SHELL32.dll!SHFileOperationW 76A596B8 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[8968] USER32.dll!CreateWindowExW 76030E51 6 Bytes JMP 71AB000A ---- Devices - GMER 2.2 ---- Device \Driver\BTHUSB \Device\0000009c bthport.sys Device \Driver\BTHUSB \Device\0000009e bthport.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BHipsEx@RunningTime 0xD2 0xC1 0x0D 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c8bfd7e37d0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c8bfd7e37d0@80018492cacf 0xE4 0x63 0xC1 0x0C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c8bfd7e37d0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c8bfd7e37d0@80018492cacf 0xE4 0x63 0xC1 0x0C ... ---- Files - GMER 2.2 ---- File C:\Users\Aga\AppData\Local\Temp\etilqs_c7Jacn20OJiXYM8 4 bytes ---- EOF - GMER 2.2 ----