GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-24 12:57:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320423AS rev.D005SDM1 298,09GB Running: 5n5c5k19.exe; Driver: C:\Users\Natalia\AppData\Local\Temp\kxtdqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2008] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2008] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [1152] entry point in ".rdata" section 000000006a8c71e6 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x614e28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x614e68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x614da8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x614d28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x614f28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x614f68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x614ee8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x614ea8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x614c68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x614ca8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x614c28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x614de8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x614d68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x614ce8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x697a28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x697a68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x6979a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x697928; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x697b28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x697b68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x697ae8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x697aa8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x697868; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x6978a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x697828; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x6979e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x697968; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x6978e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x3fbe28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x3fbe68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x3fbda8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x3fbd28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x3fbf28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x3fbf68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x3fbee8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x3fbea8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x3fbc68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x3fbca8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x3fbc28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x3fbde8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x3fbd68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x3fbce8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0xc14a28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0xc14a68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0xc149a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0xc14928; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0xc14b28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0xc14b68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0xc14ae8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0xc14aa8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0xc14868; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0xc148a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0xc14828; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0xc149e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0xc14968; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0xc148e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[1500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x24ce28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x24ce68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x24cda8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x24cd28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x24cf28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x24cf68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x24cee8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x24cea8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x24cc68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x24cca8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x24cc28; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x24cde8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x24cd68; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x24cce8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x1b7228; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x1b7268; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x1b71a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x1b7128; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x1b7328; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x1b7368; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x1b72e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x1b72a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x1b7068; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x1b70a8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x1b7028; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x1b71e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x1b7168; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x1b70e8; JMP RDX} .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Users\Natalia\AppData\Local\Google\Chrome\Application\chrome.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3880:2312] 000007fefb1b2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{08944BEE-D928-4CB1-8F24-55EA285CC31C}\Connection@Name isatap.{E0120EA7-965C-4835-A851-65D978AA7C16} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{08944BEE-D928-4CB1-8F24-55EA285CC31C}?\Device\{C7DC050F-7B68-49E7-B84E-C44EFD97552A}?\Device\{F80E6024-4990-4018-BC98-6BE5CF42DB2B}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{08944BEE-D928-4CB1-8F24-55EA285CC31C}"?"{C7DC050F-7B68-49E7-B84E-C44EFD97552A}"?"{F80E6024-4990-4018-BC98-6BE5CF42DB2B}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{08944BEE-D928-4CB1-8F24-55EA285CC31C}?\Device\TCPIP6TUNNEL_{C7DC050F-7B68-49E7-B84E-C44EFD97552A}?\Device\TCPIP6TUNNEL_{F80E6024-4990-4018-BC98-6BE5CF42DB2B}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{08944BEE-D928-4CB1-8F24-55EA285CC31C}@InterfaceName isatap.{E0120EA7-965C-4835-A851-65D978AA7C16} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{08944BEE-D928-4CB1-8F24-55EA285CC31C}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x23 0x4B 0x53 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x23 0x4B 0x53 ... ---- EOF - GMER 2.1 ----