GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-20 16:51:46 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Maxtor_6Y080M0 rev.YAR51HW0 76,34GB Running: s4w7ykcp.exe; Driver: C:\Users\maly\AppData\Local\Temp\aftciaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\DrWeb\dwservice.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 139 00000000775a307b 7 bytes JMP 0000000100031af0 .text C:\Program Files\DrWeb\frwl_svc.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 139 00000000775a307b 7 bytes JMP 0000000100031af0 .text C:\Program Files\DrWeb\dwnetfilter.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 139 00000000775a307b 7 bytes JMP 0000000100031af0 .text C:\Program Files\DrWeb\spideragent.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 139 00000000775a307b 7 bytes JMP 0000000100031af0 .text C:\Program Files\DrWeb\spideragent.exe[2924] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077469690 3 bytes [33, C0, C3] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 7727eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 7728b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 77308609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 77261dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 77307efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 773080d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 77307df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 773081c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 7727f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 7728b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 773086c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 77308222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 77307db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 7727f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 7728b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 77308584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 77307d4d C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [3764] entry point in ".rdata" section 0000000073aa71e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007776f951 7 bytes {MOV EDX, 0x75e628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007776fb95 7 bytes {MOV EDX, 0x75e668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007776fbc5 7 bytes {MOV EDX, 0x75e5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007776fbdd 7 bytes {MOV EDX, 0x75e528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007776fbf5 7 bytes {MOV EDX, 0x75e728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007776fc25 7 bytes {MOV EDX, 0x75e768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007776fca5 7 bytes {MOV EDX, 0x75e6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007776fcbd 7 bytes {MOV EDX, 0x75e6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007776fd09 7 bytes {MOV EDX, 0x75e468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007776fe01 7 bytes {MOV EDX, 0x75e4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077770059 7 bytes {MOV EDX, 0x75e428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077771065 7 bytes {MOV EDX, 0x75e5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000777710dd 7 bytes {MOV EDX, 0x75e568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000777712e1 7 bytes {MOV EDX, 0x75e4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007776f951 7 bytes {MOV EDX, 0xd4d228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007776fb95 7 bytes {MOV EDX, 0xd4d268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007776fbc5 7 bytes {MOV EDX, 0xd4d1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007776fbdd 7 bytes {MOV EDX, 0xd4d128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007776fbf5 7 bytes {MOV EDX, 0xd4d328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007776fc25 7 bytes {MOV EDX, 0xd4d368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007776fca5 7 bytes {MOV EDX, 0xd4d2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007776fcbd 7 bytes {MOV EDX, 0xd4d2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007776fd09 7 bytes {MOV EDX, 0xd4d068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007776fe01 7 bytes {MOV EDX, 0xd4d0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077770059 7 bytes {MOV EDX, 0xd4d028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077771065 7 bytes {MOV EDX, 0xd4d1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000777710dd 7 bytes {MOV EDX, 0xd4d168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000777712e1 7 bytes {MOV EDX, 0xd4d0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 7727eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 7728b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 77308609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 77261dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 77307efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 773080d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 77307df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 773081c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 7727f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 7728b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 773086c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 77308222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 77307db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 7727f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 7728b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 77308584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 77307d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007776f951 7 bytes {MOV EDX, 0x284a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007776fb95 7 bytes {MOV EDX, 0x284a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007776fbc5 7 bytes {MOV EDX, 0x2849a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007776fbdd 7 bytes {MOV EDX, 0x284928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007776fbf5 7 bytes {MOV EDX, 0x284b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007776fc25 7 bytes {MOV EDX, 0x284b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007776fca5 7 bytes {MOV EDX, 0x284ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007776fcbd 7 bytes {MOV EDX, 0x284aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007776fd09 7 bytes {MOV EDX, 0x284868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007776fe01 7 bytes {MOV EDX, 0x2848a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077770059 7 bytes {MOV EDX, 0x284828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077771065 7 bytes {MOV EDX, 0x2849e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000777710dd 7 bytes {MOV EDX, 0x284968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000777712e1 7 bytes {MOV EDX, 0x2848e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 7727eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 7728b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 77308609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 77261dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 77307efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 773080d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 77307df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 773081c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 7727f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 7728b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 773086c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 77308222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 77307db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 7727f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 7728b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 77308584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 77307d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 7727eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000077721419 2 bytes JMP 7728b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000077721431 2 bytes JMP 77308609 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007772144a 2 bytes CALL 77261dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 77307efe C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 773080d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 77307df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 773081c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 7727f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000077721555 2 bytes JMP 7728b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 773086c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 77308222 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 77307db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 7727f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 7728b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 77308584 C:\Windows\syswow64\kernel32.dll .text C:\Users\maly\Downloads\OTL.exe[2728] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 77307d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007776f951 7 bytes {MOV EDX, 0xa65628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007776fb95 7 bytes {MOV EDX, 0xa65668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007776fbc5 7 bytes {MOV EDX, 0xa655a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007776fbdd 7 bytes {MOV EDX, 0xa65528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007776fbf5 7 bytes {MOV EDX, 0xa65728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007776fc25 7 bytes {MOV EDX, 0xa65768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007776fca5 7 bytes {MOV EDX, 0xa656e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007776fcbd 7 bytes {MOV EDX, 0xa656a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007776fd09 7 bytes {MOV EDX, 0xa65468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007776fe01 7 bytes {MOV EDX, 0xa654a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077770059 7 bytes {MOV EDX, 0xa65428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077771065 7 bytes {MOV EDX, 0xa655e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000777710dd 7 bytes {MOV EDX, 0xa65568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000777712e1 7 bytes {MOV EDX, 0xa654e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 7727eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 7728b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 77308609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 77261dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 77307efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 773080d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 77307df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 773081c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 7727f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 7728b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 773086c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 77308222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 77307db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 7727f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 7728b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 77308584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 77307d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\DrWeb\SpiderAgent_Adm.exe[472] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077469690 3 bytes [33, C0, C3] .text C:\Program Files\DrWeb\spideragent.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 139 00000000775a307b 7 bytes JMP 0000000100031af0 .text C:\Program Files\DrWeb\spideragent.exe[2544] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077469690 3 bytes [33, C0, C3] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\tunnel.sys[NDIS.SYS!NdisMSetMiniportAttributes] [fffff8800113be50] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\tunnel.sys[NDIS.SYS!NdisMDeregisterMiniportDriver] [fffff8800113bed0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\tunnel.sys[NDIS.SYS!NdisMRegisterMiniportDriver] [fffff8800113bcf0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\tunnel.sys[NDIS.SYS!NdisMIndicateReceiveNetBufferLists] [fffff880010f5f50] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\tunnel.sys[NDIS.SYS!NdisMSendNetBufferListsComplete] [fffff880010f5d40] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\AgileVpn.sys[NDIS.SYS!NdisMSetMiniportAttributes] [fffff8800113be50] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\AgileVpn.sys[NDIS.SYS!NdisSetOptionalHandlers] [fffff880010f60d0] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\AgileVpn.sys[NDIS.SYS!NdisMCoIndicateReceiveNetBufferLists] [fffff880010f5df0] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\AgileVpn.sys[NDIS.SYS!NdisMRegisterMiniportDriver] [fffff8800113bcf0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\AgileVpn.sys[NDIS.SYS!NdisMDeregisterMiniportDriver] [fffff8800113bed0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [fffff8800113bef0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [fffff880010f3a60] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisTerminateWrapper] [fffff8800113c0a0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterUnloadHandler] [fffff8800113c050] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisTerminateWrapper] [fffff8800113c0a0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [fffff880010f3a60] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [fffff8800113bef0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterUnloadHandler] [fffff8800113c050] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterUnloadHandler] [fffff8800113c050] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisTerminateWrapper] [fffff8800113c0a0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [fffff8800113bef0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [fffff880010f3a60] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [fffff880010f3a60] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisTerminateWrapper] [fffff8800113c0a0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [fffff8800113bef0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterUnloadHandler] [fffff8800113c050] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\rassstp.sys[NDIS.SYS!NdisMSetAttributesEx] [fffff880010f3a60] \SystemRoot\system32\drivers\DrWebLwf.sys [.text] IAT C:\Windows\system32\DRIVERS\rassstp.sys[NDIS.SYS!NdisTerminateWrapper] [fffff8800113c0a0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\rassstp.sys[NDIS.SYS!NdisMRegisterMiniport] [fffff8800113bef0] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] IAT C:\Windows\system32\DRIVERS\rassstp.sys[NDIS.SYS!NdisMRegisterUnloadHandler] [fffff8800113c050] \SystemRoot\system32\drivers\DrWebLwf.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [824:376] 000007fefc768e80 Thread C:\Windows\system32\svchost.exe [824:2732] 000007fefc768e80 Thread C:\Windows\system32\svchost.exe [896:2024] 000007fef97e0ea8 Thread C:\Windows\system32\svchost.exe [896:2028] 000007fef97d9db0 Thread C:\Windows\system32\svchost.exe [896:2144] 000007fef97daa10 Thread C:\Windows\system32\svchost.exe [896:2160] 000007fef97e1c94 Thread C:\Windows\system32\svchost.exe [896:3392] 000007fef16fd3c8 Thread C:\Windows\system32\svchost.exe [896:3396] 000007fef16fd3c8 Thread C:\Windows\system32\svchost.exe [896:3400] 000007fef16fd3c8 Thread C:\Windows\system32\svchost.exe [896:3404] 000007fef16fd3c8 Thread C:\Windows\system32\svchost.exe [1128:1592] 000007fefa10f978 Thread C:\Windows\system32\svchost.exe [1128:2008] 000007fef74afd00 Thread C:\Windows\system32\svchost.exe [1128:3152] 000007fefa0a5124 Thread C:\Windows\System32\spoolsv.exe [1276:2012] 000007fef91710c8 Thread C:\Windows\System32\spoolsv.exe [1276:1680] 000007fef9136144 Thread C:\Windows\System32\spoolsv.exe [1276:1736] 000007fef8e25fd0 Thread C:\Windows\System32\spoolsv.exe [1276:1752] 000007fef8e13438 Thread C:\Windows\System32\spoolsv.exe [1276:1788] 000007fef8e263ec Thread C:\Windows\System32\spoolsv.exe [1276:1764] 000007fefa3c5e5c Thread C:\Windows\System32\spoolsv.exe [1276:1876] 000007fefa3f4828 Thread C:\Windows\system32\svchost.exe [1304:1448] 000007fefa773060 Thread C:\Windows\system32\svchost.exe [1304:2272] 000007fefa775570 Thread C:\Windows\system32\svchost.exe [1304:2360] 000007fef8102940 Thread C:\Windows\system32\svchost.exe [1304:2364] 000007fef80e2888 Thread C:\Windows\system32\svchost.exe [1304:2436] 000007fef80e2a40 Thread C:\Windows\system32\svchost.exe [1584:1640] 000007feff86a808 Thread C:\Windows\system32\svchost.exe [1584:1716] 000007fef9e16f00 Thread C:\Windows\system32\svchost.exe [1584:1720] 000007fef9e0d390 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2744:3208] 000007fefbaa2a74 Thread C:\Windows\system32\svchost.exe [2952:3144] 000007fef0c58470 Thread C:\Windows\system32\svchost.exe [2952:3148] 000007fef0c62418 Thread C:\Windows\system32\svchost.exe [2952:3304] 000007fef8e25fd0 Thread C:\Windows\system32\svchost.exe [2952:3312] 000007fef8e263ec ---- EOF - GMER 2.1 ----