GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-22 11:51:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 Hitachi_HDP725050GLA360 rev.GM4OA52A 465,76GB Running: c258ib3d.exe; Driver: C:\Users\Psychole\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000737d1a22 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000737d1ad0 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000737d1b08 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000737d1bba 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000737d1bda 2 bytes [7D, 73] .text C:\Program Files (x86)\Intel\AMT\UNS.exe[2480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Intel\AMT\UNS.exe[2480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3288] entry point in ".rdata" section 00000000743871e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0x519e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0x519e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0x519da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0x519d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0x519f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0x519f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0x519ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0x519ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0x519c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0x519ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0x519c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0x519de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0x519d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0x519ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0xada228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0xada268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0xada1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0xada128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0xada328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0xada368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0xada2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0xada2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0xada068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0xada0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0xada028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0xada1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0xada168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0xada0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0xf12628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0xf12668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0xf125a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0xf12528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0xf12728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0xf12768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0xf126e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0xf126a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0xf12468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0xf124a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0xf12428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0xf125e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0xf12568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0xf124e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0xaa9628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0xaa9668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0xaa95a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0xaa9528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0xaa9728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0xaa9768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0xaa96e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0xaa96a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0xaa9468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0xaa94a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0xaa9428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0xaa95e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0xaa9568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0xaa94e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0x782628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0x782668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0x7825a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0x782528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0x782728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0x782768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0x7826e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0x7826a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0x782468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0x7824a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0x782428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0x7825e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0x782568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0x7824e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0x539a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0x539a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0x5399a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0x539928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0x539b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0x539b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0x539ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0x539aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0x539868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0x5398a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0x539828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0x5399e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0x539968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0x5398e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0x5d0228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0x5d0268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0x5d01a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0x5d0128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0x5d0328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0x5d0368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0x5d02e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0x5d02a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0x5d0068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0x5d00a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0x5d0028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0x5d01e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0x5d0168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0x5d00e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Users\Psychole\Desktop\OTL.exe[4216] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Users\Psychole\Desktop\OTL.exe[4216] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007790f991 7 bytes {MOV EDX, 0x5e5628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007790fbd5 7 bytes {MOV EDX, 0x5e5668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007790fc05 7 bytes {MOV EDX, 0x5e55a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007790fc1d 7 bytes {MOV EDX, 0x5e5528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007790fc35 7 bytes {MOV EDX, 0x5e5728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007790fc65 7 bytes {MOV EDX, 0x5e5768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007790fce5 7 bytes {MOV EDX, 0x5e56e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007790fcfd 7 bytes {MOV EDX, 0x5e56a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007790fd49 7 bytes {MOV EDX, 0x5e5468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007790fe41 7 bytes {MOV EDX, 0x5e54a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077910099 7 bytes {MOV EDX, 0x5e5428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779110a5 7 bytes {MOV EDX, 0x5e55e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007791111d 7 bytes {MOV EDX, 0x5e5568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077911321 7 bytes {MOV EDX, 0x5e54e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778c1465 2 bytes [8C, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778c14bb 2 bytes [8C, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1196:1448] 000007fef9de8274 Thread C:\Windows\system32\svchost.exe [1196:1896] 000007fef9de8274 Thread C:\Windows\System32\spoolsv.exe [1648:2108] 000007fef82910c8 Thread C:\Windows\System32\spoolsv.exe [1648:2132] 000007fef8256144 Thread C:\Windows\System32\spoolsv.exe [1648:2136] 000007fef83a5fd0 Thread C:\Windows\System32\spoolsv.exe [1648:2140] 000007fef8233438 Thread C:\Windows\System32\spoolsv.exe [1648:2144] 000007fef83a63ec Thread C:\Windows\System32\spoolsv.exe [1648:2400] 000007fef9805e5c Thread C:\Windows\System32\spoolsv.exe [1648:2420] 000007fef98d5074 Thread C:\Windows\system32\svchost.exe [1692:1444] 000007fef88e35c0 Thread C:\Windows\system32\svchost.exe [1692:2772] 000007fef88e5600 Thread C:\Windows\system32\svchost.exe [1692:3160] 000007fef66b2888 Thread C:\Windows\system32\svchost.exe [1692:3168] 000007fef6692940 Thread C:\Windows\system32\svchost.exe [1692:3064] 000007fef66b2a40 ---- EOF - GMER 2.1 ----