GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-25 11:48:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: m17exmnn.exe; Driver: C:\Users\v\AppData\Local\Temp\uxldipog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff960000d4000 7 bytes [80, 93, F3, FF, 01, 9D, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d4008 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0300b8 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd030038 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd030138 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\WINMM.dll!waveOutReset 000007fef8cca38c 5 bytes JMP 000007fefd0302b8 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\WINMM.dll!waveOutPause 000007fef8ce4b60 5 bytes JMP 000007fefd030238 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef8ce4ba0 5 bytes JMP 000007fefd0301b8 .text C:\windows\system32\Dwm.exe[1968] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\Dwm.exe[1968] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0e00b8 .text C:\windows\system32\Dwm.exe[1968] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0e0038 .text C:\windows\Explorer.EXE[460] C:\windows\system32\SHELL32.dll!SHLoadInProc + 944 000007fefe077fd0 5 bytes JMP 000007fffd2100f0 .text C:\windows\Explorer.EXE[460] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd210018 .text C:\windows\Explorer.EXE[460] C:\windows\system32\ole32.dll!RegisterDragDrop 000007fefd5e0d10 5 bytes JMP 000007fffd210030 .text C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe[1820] C:\windows\syswow64\ADVAPI32.dll!RegOpenKeyExA 0000000074d34907 5 bytes JMP 0000000100ea237e .text C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe[1820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe[1820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 0000000073a113c6 2 bytes [A1, 73] .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 0000000073a113f6 2 bytes [A1, 73] .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 0000000073a114ad 2 bytes [A1, 73] .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 0000000073a114db 2 bytes [A1, 73] .text ... * 2 .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 0000000073a11577 2 bytes [A1, 73] .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 0000000073a115d7 2 bytes [A1, 73] .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 0000000073a11794 2 bytes [A1, 73] .text C:\windows\SysWOW64\vmnat.exe[2508] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 0000000073a118c1 2 bytes [A1, 73] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2604] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2604] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2748] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2748] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0e00b8 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0e0038 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0e0138 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\WINMM.dll!waveOutReset 000007fef8cca38c 5 bytes JMP 000007fefd0e02b8 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\WINMM.dll!waveOutPause 000007fef8ce4b60 5 bytes JMP 000007fefd0e0238 .text C:\Program Files\Elantech\ETDCtrl.exe[4028] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef8ce4ba0 5 bytes JMP 000007fefd0e01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0c00b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0c0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\WINMM.dll!waveOutReset 000007fef8cca38c 5 bytes JMP 000007fefd0c02b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\WINMM.dll!waveOutPause 000007fef8ce4b60 5 bytes JMP 000007fefd0c0238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef8ce4ba0 5 bytes JMP 000007fefd0c01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4088] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0c0138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[1712] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[1712] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0c00b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[1712] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0c0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2348] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2348] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0e00b8 .text C:\Program Files\Microsoft Security Client\msseces.exe[2348] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0e0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2348] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0e0138 .text C:\Program Files\Windows Sidebar\sidebar.exe[3372] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Windows Sidebar\sidebar.exe[3372] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0e00b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3372] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0e0038 .text C:\Program Files\Windows Sidebar\sidebar.exe[3372] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0e0138 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000755b48fb 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000755b4913 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000755b4945 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006cd611a8 2 bytes [D6, 6C] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006cd613a8 2 bytes [D6, 6C] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006cd61422 2 bytes [D6, 6C] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3748] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006cd61498 2 bytes [D6, 6C] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0c00b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0c0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0c0138 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\WINMM.dll!waveOutReset 000007fef8cca38c 5 bytes JMP 000007fefd0c02b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\WINMM.dll!waveOutPause 000007fef8ce4b60 5 bytes JMP 000007fefd0c0238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[1064] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef8ce4ba0 5 bytes JMP 000007fefd0c01b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000755b48fb 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW 00000000755b4913 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW 00000000755b4945 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 5 bytes JMP 0000000110002900 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0e00b8 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0e0038 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0e0138 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\WINMM.dll!waveOutReset 000007fef8cca38c 5 bytes JMP 000007fefd0e02b8 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\WINMM.dll!waveOutPause 000007fef8ce4b60 5 bytes JMP 000007fefd0e0238 .text C:\Program Files\K2T\WTW\wtw.exe[3368] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef8ce4ba0 5 bytes JMP 000007fefd0e01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076de6f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd0f9940 5 bytes JMP 000007fffd0c00b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd0fbbb0 5 bytes JMP 000007fffd0c0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd4a7490 5 bytes JMP 000007fffd0c0138 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\WINMM.dll!waveOutReset 000007fef8cca38c 5 bytes JMP 000007fefd0c02b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\WINMM.dll!waveOutPause 000007fef8ce4b60 5 bytes JMP 000007fefd0c0238 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[984] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef8ce4ba0 5 bytes JMP 000007fefd0c01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4464] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000755b48fb 5 bytes JMP 00000001100027c0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4464] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000755b4913 5 bytes JMP 00000001100028a0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4464] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000755b4945 5 bytes JMP 0000000110002830 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2064] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000755b48fb 5 bytes JMP 00000001100027c0 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2064] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000755b4913 5 bytes JMP 00000001100028a0 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2064] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000755b4945 5 bytes JMP 0000000110002830 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2064] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2064] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2064] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 5 bytes JMP 0000000110002900 ? C:\windows\system32\mssprxy.dll [2064] entry point in ".rdata" section 0000000071cf71e6 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ef991 7 bytes {MOV EDX, 0x703228; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771efbd5 7 bytes {MOV EDX, 0x703268; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771efc05 7 bytes {MOV EDX, 0x7031a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771efc1d 7 bytes {MOV EDX, 0x703128; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771efc35 7 bytes {MOV EDX, 0x703328; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771efc65 7 bytes {MOV EDX, 0x703368; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771efce5 7 bytes {MOV EDX, 0x7032e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771efcfd 7 bytes {MOV EDX, 0x7032a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771efd49 7 bytes {MOV EDX, 0x703068; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771efe41 7 bytes {MOV EDX, 0x7030a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771f0099 7 bytes {MOV EDX, 0x703028; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771f10a5 7 bytes {MOV EDX, 0x7031e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000771f111d 7 bytes {MOV EDX, 0x703168; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000771f1321 7 bytes {MOV EDX, 0x7030e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000755b48fb 5 bytes JMP 00000001100027c0 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000755b4913 5 bytes JMP 00000001100028a0 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000755b4945 5 bytes JMP 0000000110002830 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[3416] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 5 bytes JMP 0000000110002900 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ef991 7 bytes {MOV EDX, 0x68d628; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771efbd5 7 bytes {MOV EDX, 0x68d668; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771efc05 7 bytes {MOV EDX, 0x68d5a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771efc1d 7 bytes {MOV EDX, 0x68d528; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771efc35 7 bytes {MOV EDX, 0x68d728; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771efc65 7 bytes {MOV EDX, 0x68d768; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771efce5 7 bytes {MOV EDX, 0x68d6e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771efcfd 7 bytes {MOV EDX, 0x68d6a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771efd49 7 bytes {MOV EDX, 0x68d468; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771efe41 7 bytes {MOV EDX, 0x68d4a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771f0099 7 bytes {MOV EDX, 0x68d428; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771f10a5 7 bytes {MOV EDX, 0x68d5e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000771f111d 7 bytes {MOV EDX, 0x68d568; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000771f1321 7 bytes {MOV EDX, 0x68d4e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ef991 7 bytes {MOV EDX, 0x96d628; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771efbd5 7 bytes {MOV EDX, 0x96d668; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771efc05 7 bytes {MOV EDX, 0x96d5a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771efc1d 7 bytes {MOV EDX, 0x96d528; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771efc35 7 bytes {MOV EDX, 0x96d728; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771efc65 7 bytes {MOV EDX, 0x96d768; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771efce5 7 bytes {MOV EDX, 0x96d6e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771efcfd 7 bytes {MOV EDX, 0x96d6a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771efd49 7 bytes {MOV EDX, 0x96d468; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771efe41 7 bytes {MOV EDX, 0x96d4a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771f0099 7 bytes {MOV EDX, 0x96d428; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771f10a5 7 bytes {MOV EDX, 0x96d5e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000771f111d 7 bytes {MOV EDX, 0x96d568; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000771f1321 7 bytes {MOV EDX, 0x96d4e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[1684] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ef991 7 bytes {MOV EDX, 0xf34a28; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771efbd5 7 bytes {MOV EDX, 0xf34a68; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771efc05 7 bytes {MOV EDX, 0xf349a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771efc1d 7 bytes {MOV EDX, 0xf34928; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771efc35 7 bytes {MOV EDX, 0xf34b28; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771efc65 7 bytes {MOV EDX, 0xf34b68; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771efce5 7 bytes {MOV EDX, 0xf34ae8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771efcfd 7 bytes {MOV EDX, 0xf34aa8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771efd49 7 bytes {MOV EDX, 0xf34868; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771efe41 7 bytes {MOV EDX, 0xf348a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771f0099 7 bytes {MOV EDX, 0xf34828; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771f10a5 7 bytes {MOV EDX, 0xf349e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000771f111d 7 bytes {MOV EDX, 0xf34968; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000771f1321 7 bytes {MOV EDX, 0xf348e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4160] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ef991 7 bytes {MOV EDX, 0xfcd228; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771efbd5 7 bytes {MOV EDX, 0xfcd268; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771efc05 7 bytes {MOV EDX, 0xfcd1a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771efc1d 7 bytes {MOV EDX, 0xfcd128; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771efc35 7 bytes {MOV EDX, 0xfcd328; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771efc65 7 bytes {MOV EDX, 0xfcd368; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771efce5 7 bytes {MOV EDX, 0xfcd2e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771efcfd 7 bytes {MOV EDX, 0xfcd2a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771efd49 7 bytes {MOV EDX, 0xfcd068; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771efe41 7 bytes {MOV EDX, 0xfcd0a8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000771f0099 7 bytes {MOV EDX, 0xfcd028; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771f10a5 7 bytes {MOV EDX, 0xfcd1e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000771f111d 7 bytes {MOV EDX, 0xfcd168; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000771f1321 7 bytes {MOV EDX, 0xfcd0e8; JMP RDX} .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768b1465 2 bytes [8B, 76] .text C:\Users\v\AppData\Local\Google\Chrome\Application\chrome.exe[4980] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768b14bb 2 bytes [8B, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!malloc] [28c4834800000001] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!_vsnwprintf] [ccccccccccccccc3] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!_XcptFilter] [ccccffffc09225ff] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!wcsrchr] [83485540cccccccc] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!_wcsnicmp] [8d8948ea8b4820ec] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!wcschr] [8b018b4800000100] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!memset] [48000000a8958910] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!_amsg_exit] [6d73633d50458b50] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!free] [f8958b481475e0] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!wcsstr] [f95ce8504d8b0000] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!_initterm] [c707eb304589ffff] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[msvcrt.dll!memcpy] [458b000000003045] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!RtlCaptureContext] [cccccccccccccccc] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!RtlLookupFunctionEntry] [83485540cccccccc] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!RtlVirtualUnwind] [8d8948ea8b4820ec] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!NtOpenFile] [8b018b4800000110] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!RtlInitUnicodeString] [4800000098958910] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!NtClose] [5589000000d08d89] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!NtCreateFile] [6d73633d70458b70] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!RtlAppendUnicodeToString] [d0958b481475e0] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!NtFsControlFile] [f8fce8704d8b0000] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[ntdll.dll!NtQueryAttributesFile] [c707eb384589ffff] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\drprov.dll[WINSTA.dll!WinStationIsSessionRemoteable] [5589000000908d89] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!memset] [3b4908c68348d1ff] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!memcpy] [ef850fc33be572f6] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!_amsg_exit] [41070d8d480000] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!free] [5c70000037ae800] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!_initterm] [200004f40] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!malloc] [48c38b480a75eb3b] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!_XcptFilter] [394800004f220587] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!iswdigit] [ea850f000056eb1d] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!toupper] [4f1b3d01000011] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!_vsnwprintf] [58b00000083e900] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!_wcsnicmp] [8e0fc33b00004f10] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[msvcrt.dll!wcschr] [2b017b8d0000119e] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!RtlCaptureContext] [3db10f48f0c03300] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!RtlLookupFunctionEntry] [114d850f00004ee4] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!EtwTraceMessage] [4ee8058b0000] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventWrite] [114f850f02f883] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventUnregister] [4ef82d8b4800] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!NtClose] [358b482d74eb3b48] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!RtlNtStatusToDosError] [f8c6834800004ee4] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!NtCreateFile] [3c830ff53b4800eb] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventRegister] [15ffcd8b48000011] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!NtFsControlFile] [c51d894800003eec] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!RtlInitUnicodeString] [4ec61d894800004e] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[ntdll.dll!RtlVirtualUnwind] [4ea01d890000] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!UnhandledExceptionFilter] [9090909090909090] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetProcAddress] [9090909090909090] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!FreeLibrary] [6c894808245c8948] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!SetLastError] [5541544157561024] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalFree] [db3320ec83485641] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalAlloc] [d33be98b4ce08b4d] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetLastError] [1bf000000c0840f] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!Sleep] [36850fd73b000000] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!DisableThreadLibraryCalls] [25048b4865000001] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!DelayLoadFailureHook] [8b48eb8b00000030] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!QueryPerformanceCounter] [48f0c03300eb0870] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetTickCount] [f00004fa135b10f] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentThreadId] [8b00eb0000124485] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcessId] [fc33b00004fa305] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [358d480000125185] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!TerminateProcess] [65358d4c0000415c] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcess] [4f873d89000041] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [2373f63b49c38b00] IAT C:\windows\Explorer.EXE[460] @ C:\windows\System32\DAVHLPR.dll[KERNEL32.dll!LoadLibraryExA] [120a850fc33b] ---- Processes - GMER 2.1 ---- Library c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BAE413D8-52C9-4AA6-A128-26B80940A954}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [932] (Microsoft Malware Protection Engine/Microsoft Corporation(2013-06-24 08:40:31) 000007fef9ea0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38ec5880 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38ec5880@6c23b946eaa9 0x6F 0x9B 0x62 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38ec5880@0025e729d7f1 0xD6 0x61 0xE0 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38ec5880@000df096bda8 0x45 0xFF 0x1F 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38ec5880@000be49aa604 0xBE 0xDC 0x12 0x2F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38ec5880 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38ec5880@6c23b946eaa9 0x6F 0x9B 0x62 0x45 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38ec5880@0025e729d7f1 0xD6 0x61 0xE0 0x0E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38ec5880@000df096bda8 0x45 0xFF 0x1F 0xF7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38ec5880@000be49aa604 0xBE 0xDC 0x12 0x2F ... Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c0cb38ec5880 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c0cb38ec5880@6c23b946eaa9 0x6F 0x9B 0x62 0x45 ... Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c0cb38ec5880@0025e729d7f1 0xD6 0x61 0xE0 0x0E ... Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c0cb38ec5880@000df096bda8 0x45 0xFF 0x1F 0xF7 ... Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c0cb38ec5880@000be49aa604 0xBE 0xDC 0x12 0x2F ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----