GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-24 22:02:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0002 465,76GB Running: 527m4ucl.exe; Driver: C:\Users\REPUBL~1\AppData\Local\Temp\pgtoypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1760] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000770bfa98 5 bytes JMP 0000000172fc139e .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1760] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770c0028 5 bytes JMP 0000000172fc1a54 .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072d71a22 2 bytes [D7, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072d71ad0 2 bytes [D7, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072d71b08 2 bytes [D7, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072d71bba 2 bytes [D7, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072d71bda 2 bytes [D7, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Origin\Origin.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Origin\Origin.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text D:\programy\T-Mobile\InternetManager_Z\Bin\mcserver.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text D:\programy\T-Mobile\InternetManager_Z\Bin\mcserver.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0x69b628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0x69b668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0x69b5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0x69b528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0x69b728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0x69b768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0x69b6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0x69b6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0x69b468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0x69b4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0x69b428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0x69b5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0x69b568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0x69b4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0xf63628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0xf63668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0xf635a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0xf63528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0xf63728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0xf63768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0xf636e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0xf636a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0xf63468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0xf634a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0xf63428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0xf635e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0xf63568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0xf634e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0x67de28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0x67de68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0x67dda8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0x67dd28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0x67df28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0x67df68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0x67dee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0x67dea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0x67dc68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0x67dca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0x67dc28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0x67dde8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0x67dd68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0x67dce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0x1f0628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0x1f0668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0x1f05a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0x1f0528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0x1f0728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0x1f0768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0x1f06e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0x1f06a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0x1f0468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0x1f04a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0x1f0428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0x1f05e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0x1f0568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0x1f04e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0xd56228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0xd56268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0xd561a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0xd56128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0xd56328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0xd56368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0xd562e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0xd562a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0xd56068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0xd560a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0xd56028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0xd561e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0xd56168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0xd560e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0xcd5228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0xcd5268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0xcd51a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0xcd5128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0xcd5328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0xcd5368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0xcd52e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0xcd52a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0xcd5068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0xcd50a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0xcd5028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0xcd51e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0xcd5168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0xcd50e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0xbb2a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0xbb2a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0xbb29a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0xbb2928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0xbb2b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0xbb2b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0xbb2ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0xbb2aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0xbb2868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0xbb28a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0xbb2828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0xbb29e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0xbb2968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0xbb28e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0xfed228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0xfed268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0xfed1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0xfed128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0xfed328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0xfed368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0xfed2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0xfed2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0xfed068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0xfed0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0xfed028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0xfed1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0xfed168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0xfed0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9a1 7 bytes {MOV EDX, 0x688228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbe5 7 bytes {MOV EDX, 0x688268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc15 7 bytes {MOV EDX, 0x6881a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc2d 7 bytes {MOV EDX, 0x688128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc45 7 bytes {MOV EDX, 0x688328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc75 7 bytes {MOV EDX, 0x688368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfcf5 7 bytes {MOV EDX, 0x6882e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd0d 7 bytes {MOV EDX, 0x6882a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd59 7 bytes {MOV EDX, 0x688068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe51 7 bytes {MOV EDX, 0x6880a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00a9 7 bytes {MOV EDX, 0x688028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10b5 7 bytes {MOV EDX, 0x6881e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c112d 7 bytes {MOV EDX, 0x688168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c1331 7 bytes {MOV EDX, 0x6880e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 .text C:\Users\Republic Of Gammers\Downloads\OTL.com[848] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000077071465 2 bytes [07, 77] .text C:\Users\Republic Of Gammers\Downloads\OTL.com[848] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000770714bb 2 bytes [07, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [460:2760] 000007fef7bc9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3400:3512] 000007fefb6a2ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3400:3540] 000007fef27fd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3400:1624] 000007fef2799730 ---- Files - GMER 2.1 ---- File C:\ProgramData\IObit\Protected Folder\config.ini 57 bytes File C:\ProgramData\IObit\Protected Folder\drawposs.db 21 bytes File C:\ProgramData\IObit\Protected Folder\fstile.cds 2 bytes ---- EOF - GMER 2.1 ----