GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-20 13:52:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: 7g3dpu6y.exe; Driver: C:\Users\User\AppData\Local\Temp\fxldrpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800037eb000 45 bytes [00, 10, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800037eb02f 16 bytes [00, 00, 10, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[4472] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[4472] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4952] entry point in ".rdata" section 00000000737e71e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 7 bytes {MOV EDX, 0xc2da28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 7 bytes {MOV EDX, 0xc2da68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 7 bytes {MOV EDX, 0xc2d9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 7 bytes {MOV EDX, 0xc2d928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 7 bytes {MOV EDX, 0xc2db28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 7 bytes {MOV EDX, 0xc2db68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 7 bytes {MOV EDX, 0xc2dae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 7 bytes {MOV EDX, 0xc2daa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 7 bytes {MOV EDX, 0xc2d868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 7 bytes {MOV EDX, 0xc2d8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 7 bytes {MOV EDX, 0xc2d828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 7 bytes {MOV EDX, 0xc2d9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 7 bytes {MOV EDX, 0xc2d968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 7 bytes {MOV EDX, 0xc2d8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 7 bytes {MOV EDX, 0x1035e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 7 bytes {MOV EDX, 0x1035e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 7 bytes {MOV EDX, 0x1035da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 7 bytes {MOV EDX, 0x1035d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 7 bytes {MOV EDX, 0x1035f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 7 bytes {MOV EDX, 0x1035f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 7 bytes {MOV EDX, 0x1035ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 7 bytes {MOV EDX, 0x1035ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 7 bytes {MOV EDX, 0x1035c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 7 bytes {MOV EDX, 0x1035ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 7 bytes {MOV EDX, 0x1035c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 7 bytes {MOV EDX, 0x1035de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 7 bytes {MOV EDX, 0x1035d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 7 bytes {MOV EDX, 0x1035ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 7 bytes {MOV EDX, 0xab0a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 7 bytes {MOV EDX, 0xab0a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 7 bytes {MOV EDX, 0xab09a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 7 bytes {MOV EDX, 0xab0928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 7 bytes {MOV EDX, 0xab0b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 7 bytes {MOV EDX, 0xab0b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 7 bytes {MOV EDX, 0xab0ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 7 bytes {MOV EDX, 0xab0aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 7 bytes {MOV EDX, 0xab0868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 7 bytes {MOV EDX, 0xab08a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 7 bytes {MOV EDX, 0xab0828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 7 bytes {MOV EDX, 0xab09e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 7 bytes {MOV EDX, 0xab0968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 7 bytes {MOV EDX, 0xab08e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 7 bytes {MOV EDX, 0x5fba28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 7 bytes {MOV EDX, 0x5fba68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 7 bytes {MOV EDX, 0x5fb9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 7 bytes {MOV EDX, 0x5fb928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 7 bytes {MOV EDX, 0x5fbb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 7 bytes {MOV EDX, 0x5fbb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 7 bytes {MOV EDX, 0x5fbae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 7 bytes {MOV EDX, 0x5fbaa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 7 bytes {MOV EDX, 0x5fb868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 7 bytes {MOV EDX, 0x5fb8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 7 bytes {MOV EDX, 0x5fb828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 7 bytes {MOV EDX, 0x5fb9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 7 bytes {MOV EDX, 0x5fb968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 7 bytes {MOV EDX, 0x5fb8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 7 bytes {MOV EDX, 0xba7a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 7 bytes {MOV EDX, 0xba7a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 7 bytes {MOV EDX, 0xba79a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 7 bytes {MOV EDX, 0xba7928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 7 bytes {MOV EDX, 0xba7b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 7 bytes {MOV EDX, 0xba7b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 7 bytes {MOV EDX, 0xba7ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 7 bytes {MOV EDX, 0xba7aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 7 bytes {MOV EDX, 0xba7868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 7 bytes {MOV EDX, 0xba78a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 7 bytes {MOV EDX, 0xba7828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 7 bytes {MOV EDX, 0xba79e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 7 bytes {MOV EDX, 0xba7968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 7 bytes {MOV EDX, 0xba78e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 7 bytes {MOV EDX, 0xd92228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 7 bytes {MOV EDX, 0xd92268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 7 bytes {MOV EDX, 0xd921a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 7 bytes {MOV EDX, 0xd92128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 7 bytes {MOV EDX, 0xd92328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 7 bytes {MOV EDX, 0xd92368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 7 bytes {MOV EDX, 0xd922e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 7 bytes {MOV EDX, 0xd922a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 7 bytes {MOV EDX, 0xd92068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 7 bytes {MOV EDX, 0xd920a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 7 bytes {MOV EDX, 0xd92028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 7 bytes {MOV EDX, 0xd921e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 7 bytes {MOV EDX, 0xd92168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 7 bytes {MOV EDX, 0xd920e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a3f991 3 bytes [BA, 28, 62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 9 0000000077a3f995 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a3fbd5 3 bytes [BA, 68, 62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 9 0000000077a3fbd9 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a3fc05 3 bytes [BA, A8, 61] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 9 0000000077a3fc09 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a3fc1d 3 bytes [BA, 28, 61] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 9 0000000077a3fc21 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a3fc35 3 bytes [BA, 28, 63] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 9 0000000077a3fc39 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a3fc65 3 bytes [BA, 68, 63] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 9 0000000077a3fc69 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a3fce5 3 bytes [BA, E8, 62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 9 0000000077a3fce9 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a3fcfd 3 bytes [BA, A8, 62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 9 0000000077a3fd01 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a3fd49 3 bytes [BA, 68, 60] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 9 0000000077a3fd4d 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a3fe41 3 bytes [BA, A8, 60] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 9 0000000077a3fe45 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a40099 3 bytes [BA, 28, 60] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 9 0000000077a4009d 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a410a5 3 bytes [BA, E8, 61] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 9 0000000077a410a9 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a4111d 3 bytes [BA, 68, 61] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 9 0000000077a41121 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a41321 3 bytes [BA, E8, 60] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 9 0000000077a41325 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076201465 2 bytes [20, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762014bb 2 bytes [20, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1792:2852] 000007fef68210c8 Thread C:\Windows\System32\spoolsv.exe [1792:2856] 000007fef67e6144 Thread C:\Windows\System32\spoolsv.exe [1792:2860] 000007fef65d5fd0 Thread C:\Windows\System32\spoolsv.exe [1792:2864] 000007fef65c3438 Thread C:\Windows\System32\spoolsv.exe [1792:2868] 000007fef65d63ec Thread C:\Windows\System32\spoolsv.exe [1792:2880] 000007fef68b5e5c Thread C:\Windows\System32\spoolsv.exe [1792:2884] 000007fef68e5074 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3316:3564] 000007fef9b5818c Thread C:\Program Files\Windows Sidebar\sidebar.exe [3316:4100] 000007fefa371ebc ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B4C7AFA9-6DF7-40B7-91A7-52576584C081}\Connection@Name isatap.{B51384AF-B1F3-4D82-9894-30020C8E4853} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{49AD5982-8A3F-4B3F-AEF2-16AFB4A2BF8C}?\Device\{1394FD2F-4496-4E11-B402-34D04A37F298}?\Device\{B4C7AFA9-6DF7-40B7-91A7-52576584C081}?\Device\{542A19CB-2FF7-4486-9802-AC8520A79F64}?\Device\{D542FB2B-3CBD-4B5F-9A80-AC9ABC0DEDB5}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{49AD5982-8A3F-4B3F-AEF2-16AFB4A2BF8C}"?"{1394FD2F-4496-4E11-B402-34D04A37F298}"?"{B4C7AFA9-6DF7-40B7-91A7-52576584C081}"?"{542A19CB-2FF7-4486-9802-AC8520A79F64}"?"{D542FB2B-3CBD-4B5F-9A80-AC9ABC0DEDB5}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{49AD5982-8A3F-4B3F-AEF2-16AFB4A2BF8C}?\Device\TCPIP6TUNNEL_{1394FD2F-4496-4E11-B402-34D04A37F298}?\Device\TCPIP6TUNNEL_{B4C7AFA9-6DF7-40B7-91A7-52576584C081}?\Device\TCPIP6TUNNEL_{542A19CB-2FF7-4486-9802-AC8520A79F64}?\Device\TCPIP6TUNNEL_{D542FB2B-3CBD-4B5F-9A80-AC9ABC0DEDB5}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3adf5ed Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6@0022981b1fc6 0x37 0x54 0x76 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6@002403caccdb 0x4C 0xA2 0x95 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6@7d552acc6601 0xA4 0x1A 0x49 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6@40ba6107b688 0xD2 0x12 0xDD 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6@0013f306e609 0xDA 0xCC 0xCE 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b34df6@b4b362c05346 0xBC 0x16 0x4F 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{B4C7AFA9-6DF7-40B7-91A7-52576584C081}@InterfaceName isatap.{B51384AF-B1F3-4D82-9894-30020C8E4853} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{B4C7AFA9-6DF7-40B7-91A7-52576584C081}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3adf5ed (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6@0022981b1fc6 0x37 0x54 0x76 0x47 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6@002403caccdb 0x4C 0xA2 0x95 0x27 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6@7d552acc6601 0xA4 0x1A 0x49 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6@40ba6107b688 0xD2 0x12 0xDD 0xBF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6@0013f306e609 0xDA 0xCC 0xCE 0x2D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b34df6@b4b362c05346 0xBC 0x16 0x4F 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x12 0xAD 0xEE 0x1E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0x85 0x90 0x39 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x64 0xFD 0x0E 0x16 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x5C 0xA2 0xEA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xF4 0xA6 0x9E 0x33 ... ---- EOF - GMER 2.1 ----