GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-12 13:28:04 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST250DM0 rev.HP73 232,89GB Running: zx3xr63k.exe; Driver: C:\Users\J92E0~1.RYC\AppData\Local\Temp\fxloapoc.sys ---- System - GMER 2.1 ---- SSDT 87F6C918 ZwAlertResumeThread SSDT 87F6C9F8 ZwAlertThread SSDT 87F6B718 ZwAllocateVirtualMemory SSDT 87C69210 ZwAlpcConnectPort SSDT 87F6C0C0 ZwAssignProcessToJobObject SSDT 87F6C668 ZwCreateMutant SSDT 87F6DD90 ZwCreateSymbolicLinkObject SSDT 87F6BB60 ZwCreateThread SSDT 87F6DE80 ZwCreateThreadEx SSDT 87F6C1A0 ZwDebugActiveProcess SSDT 87F6B8A8 ZwDuplicateObject SSDT 87F6B4F0 ZwFreeVirtualMemory SSDT 87F6C758 ZwImpersonateAnonymousToken SSDT 87F6C838 ZwImpersonateThread SSDT 87C5FC58 ZwLoadDriver SSDT 87F6C008 ZwMapViewOfSection SSDT 87F6C588 ZwOpenEvent SSDT 87F6BA48 ZwOpenProcess SSDT 87F6B7E8 ZwOpenProcessToken SSDT 87F6C3C8 ZwOpenSection SSDT 87F6B978 ZwOpenThread SSDT 87F6DF80 ZwProtectVirtualMemory SSDT 87F6CAD8 ZwResumeThread SSDT 87F6CD78 ZwSetContextThread SSDT 87F6CE58 ZwSetInformationProcess SSDT 87F6C280 ZwSetSystemInformation SSDT 87F6C4A8 ZwSuspendProcess SSDT 87F6CBB8 ZwSuspendThread SSDT 87F6A4A0 ZwTerminateProcess SSDT 87F6CC98 ZwTerminateThread SSDT 87F6CF48 ZwUnmapViewOfSection SSDT 87F6B5E0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8304C9E9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830861C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 8308D1F0 8 Bytes [18, C9, F6, 87, F8, C9, F6, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 8308D208 4 Bytes [18, B7, F6, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 8308D214 4 Bytes [10, 92, C6, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 8308D268 4 Bytes [C0, C0, F6, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 8308D2E4 4 Bytes [68, C6, F6, 87] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe[392] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe[392] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\services.exe[624] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\services.exe[624] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\winlogon.exe[664] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\winlogon.exe[664] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\lsm.exe[676] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\lsm.exe[676] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\UltraVNC\winvnc.exe[736] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\UltraVNC\winvnc.exe[736] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[792] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[792] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[868] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[868] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\svchost.exe[960] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\svchost.exe[960] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\svchost.exe[1040] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\svchost.exe[1040] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[1076] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[1076] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[1276] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[1276] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[1396] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[1396] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\igfxtray.exe[1540] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\igfxtray.exe[1540] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\spoolsv.exe[1576] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\spoolsv.exe[1576] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe[1584] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe[1584] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[1632] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[1632] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\Dwm.exe[1668] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\Dwm.exe[1668] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\HP\HPBDSService\HPBDSService.exe[1812] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\HP\HPBDSService\HPBDSService.exe[1812] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\IProsetMonitor.exe[1928] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\IProsetMonitor.exe[1928] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2024] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2024] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\hp\HP Software Update\hpwuschd2.exe[2224] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\hp\HP Software Update\hpwuschd2.exe[2224] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Windows Sidebar\sidebar.exe[2280] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Windows Sidebar\sidebar.exe[2280] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\wbem\wmiprvse.exe[2448] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\wbem\wmiprvse.exe[2448] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\Smc.exe[2536] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\Smc.exe[2536] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[2604] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[2604] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2748] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2748] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\hkcmd.exe[2844] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\hkcmd.exe[2844] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\wbem\unsecapp.exe[3020] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\wbem\unsecapp.exe[3020] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\taskhost.exe[3064] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\taskhost.exe[3064] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\igfxpers.exe[3452] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\igfxpers.exe[3452] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\Explorer.EXE[3552] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\Explorer.EXE[3552] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe[3772] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe[3772] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\svchost.exe[3776] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\svchost.exe[3776] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe[3804] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe[3804] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3888] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3888] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[3920] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[3920] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3956] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3956] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4128] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4128] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[6648] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[6648] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\SearchIndexer.exe[11904] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\SearchIndexer.exe[11904] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[12292] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[12292] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[37600] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[37600] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[37600] kernel32.dll!SetUnhandledExceptionFilter 76A3F4FB 5 Bytes JMP 5D7B856D C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[37600] ole32.dll!OleLoadFromStream 76896143 5 Bytes JMP 5DCEFA9A C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\Program Files\UltraVNC\winvnc.exe[46196] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\UltraVNC\winvnc.exe[46196] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\System32\WUDFHost.exe[51996] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\System32\WUDFHost.exe[51996] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\AUDIODG.EXE[56184] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\AUDIODG.EXE[56184] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] ntdll.dll!LdrGetProcedureAddress + 26 77402239 7 Bytes JMP 586F5B00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76A3941E 7 Bytes JMP 58937B35 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] kernel32.dll!QueryPerformanceCounter + 13 76A3C435 7 Bytes JMP 58937B58 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] kernel32.dll!LoadAppInitDlls + 355 76A3F4F6 7 Bytes JMP 586FEF12 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[57904] GDI32.dll!GetViewportOrgEx + 26C 76BF884B 7 Bytes JMP 58937AB6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\ProgramData\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[58320] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\ProgramData\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[58320] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\schtasks.exe[58364] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\schtasks.exe[58364] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\conhost.exe[58408] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\conhost.exe[58408] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\ProgramData\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[58416] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\ProgramData\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[58416] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\ProgramData\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[58416] USER32.dll!DialogBoxParamW 75853B9B 5 Bytes JMP 61274620 C:\ProgramData\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.dll .text C:\Windows\system32\taskeng.exe[58820] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\taskeng.exe[58820] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Users\j.rychcinski\Downloads\zx3xr63k.exe[59204] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Users\j.rychcinski\Downloads\zx3xr63k.exe[59204] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL .text C:\Windows\system32\wuauclt.exe[62564] ntdll.dll!KiFastSystemCall 773E7090 2 Bytes [EB, 03] {JMP 0x5} .text C:\Windows\system32\wuauclt.exe[62564] ntdll.dll!KiFastSystemCallRet + 1 773E7095 11 Bytes JMP 754110F0 C:\Windows\System32\SYSFER.DLL ---- Devices - GMER 2.1 ---- Device \Driver\mountmgr \Device\MountPointManager SysPlant.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----