GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-09 12:03:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 4ocn382y.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kfrdapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80003605000 63 bytes [C5, 00, 01, 01, 00, 00, 00, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 624 fffff80003605040 6 bytes [E0, 48, 17, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\Dwm.exe[1868] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\Dwm.exe[1868] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3a00b8 .text C:\windows\system32\Dwm.exe[1868] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd3a0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3700b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd370038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\WINMM.dll!waveOutReset 000007fef977a38c 5 bytes JMP 000007fefd3702b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9794b60 5 bytes JMP 000007fefd370238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9794ba0 5 bytes JMP 000007fefd3701b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd370138 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3a00b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd3a0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\WINMM.dll!waveOutReset 000007fef977a38c 5 bytes JMP 000007fefd3a02b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9794b60 5 bytes JMP 000007fefd3a0238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9794ba0 5 bytes JMP 000007fefd3a01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2728] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd3a0138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2188] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2188] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3a00b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2188] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd3a0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2540] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2540] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd1f00b8 .text C:\Program Files\Microsoft Security Client\msseces.exe[2540] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd1f0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2540] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd1f0138 .text C:\Users\Lenovo\AppData\Local\Lollipop\Lollipop.exe[2240] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Users\Lenovo\AppData\Local\Lollipop\Lollipop.exe[2240] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Users\Lenovo\AppData\Local\Lollipop\Lollipop.exe[2240] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Users\Lenovo\AppData\Local\Lollipop\Lollipop.exe[2240] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075cb9d0b 5 bytes JMP 0000000110002900 .text C:\Users\Lenovo\AppData\Local\Lollipop\Lollipop.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Lollipop\Lollipop.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2880] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2880] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2880] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2880] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075cb9d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2860] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2860] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2860] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2868] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001002a27c0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2868] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001002a28a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2868] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 00000001002a2830 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3088] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3088] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3088] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3088] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075cb9d0b 5 bytes JMP 0000000110002900 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3a00b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd3a0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd3a0138 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\WINMM.dll!waveOutReset 000007fef977a38c 5 bytes JMP 000007fefd3a02b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9794b60 5 bytes JMP 000007fefd3a0238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3224] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9794ba0 5 bytes JMP 000007fefd3a01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3a00b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd3a0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd3a0138 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\WINMM.dll!waveOutReset 000007fef977a38c 5 bytes JMP 000007fefd3a02b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9794b60 5 bytes JMP 000007fefd3a0238 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3340] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9794ba0 5 bytes JMP 000007fefd3a01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3584] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3584] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3584] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075cb9d0b 5 bytes JMP 0000000110002900 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f43918 5 bytes JMP 0000000102b62ed8 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f44406 5 bytes JMP 0000000102b62a6c .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\WS2_32.dll!recv 0000000076f46b0e 5 bytes JMP 0000000102b62aec .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\WS2_32.dll!send 0000000076f46f01 5 bytes JMP 0000000102b629ff .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f47089 5 bytes JMP 0000000102b62c0f .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4056] C:\windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000076f47489 5 bytes JMP 0000000102b62d84 ? C:\windows\system32\mssprxy.dll [4056] entry point in ".rdata" section 00000000703c71e6 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007757f991 7 bytes {MOV EDX, 0x66de28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007757fbd5 7 bytes {MOV EDX, 0x66de68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007757fc05 7 bytes {MOV EDX, 0x66dda8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007757fc1d 7 bytes {MOV EDX, 0x66dd28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007757fc35 7 bytes {MOV EDX, 0x66df28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007757fc65 7 bytes {MOV EDX, 0x66df68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007757fce5 7 bytes {MOV EDX, 0x66dee8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007757fcfd 7 bytes {MOV EDX, 0x66dea8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007757fd49 7 bytes {MOV EDX, 0x66dc68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007757fe41 7 bytes {MOV EDX, 0x66dca8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077580099 7 bytes {MOV EDX, 0x66dc28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775810a5 7 bytes {MOV EDX, 0x66dde8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007758111d 7 bytes {MOV EDX, 0x66dd68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077581321 7 bytes {MOV EDX, 0x66dce8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000764748fb 5 bytes JMP 00000001100027c0 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076474913 5 bytes JMP 00000001100028a0 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076474945 5 bytes JMP 0000000110002830 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[1588] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075cb9d0b 5 bytes JMP 0000000110002900 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007757f991 7 bytes {MOV EDX, 0xf8ba28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007757fbd5 7 bytes {MOV EDX, 0xf8ba68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007757fc05 7 bytes {MOV EDX, 0xf8b9a8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007757fc1d 7 bytes {MOV EDX, 0xf8b928; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007757fc35 7 bytes {MOV EDX, 0xf8bb28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007757fc65 7 bytes {MOV EDX, 0xf8bb68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007757fce5 7 bytes {MOV EDX, 0xf8bae8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007757fcfd 7 bytes {MOV EDX, 0xf8baa8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007757fd49 7 bytes {MOV EDX, 0xf8b868; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007757fe41 7 bytes {MOV EDX, 0xf8b8a8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077580099 7 bytes {MOV EDX, 0xf8b828; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775810a5 7 bytes {MOV EDX, 0xf8b9e8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007758111d 7 bytes {MOV EDX, 0xf8b968; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077581321 7 bytes {MOV EDX, 0xf8b8e8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[660] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007757f991 7 bytes {MOV EDX, 0xfd5e28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007757fbd5 7 bytes {MOV EDX, 0xfd5e68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007757fc05 7 bytes {MOV EDX, 0xfd5da8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007757fc1d 7 bytes {MOV EDX, 0xfd5d28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007757fc35 7 bytes {MOV EDX, 0xfd5f28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007757fc65 7 bytes {MOV EDX, 0xfd5f68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007757fce5 7 bytes {MOV EDX, 0xfd5ee8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007757fcfd 7 bytes {MOV EDX, 0xfd5ea8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007757fd49 7 bytes {MOV EDX, 0xfd5c68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007757fe41 7 bytes {MOV EDX, 0xfd5ca8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077580099 7 bytes {MOV EDX, 0xfd5c28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775810a5 7 bytes {MOV EDX, 0xfd5de8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007758111d 7 bytes {MOV EDX, 0xfd5d68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077581321 7 bytes {MOV EDX, 0xfd5ce8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[828] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007757f991 7 bytes {MOV EDX, 0xb6de28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007757fbd5 7 bytes {MOV EDX, 0xb6de68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007757fc05 7 bytes {MOV EDX, 0xb6dda8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007757fc1d 7 bytes {MOV EDX, 0xb6dd28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007757fc35 7 bytes {MOV EDX, 0xb6df28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007757fc65 7 bytes {MOV EDX, 0xb6df68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007757fce5 7 bytes {MOV EDX, 0xb6dee8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007757fcfd 7 bytes {MOV EDX, 0xb6dea8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007757fd49 7 bytes {MOV EDX, 0xb6dc68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007757fe41 7 bytes {MOV EDX, 0xb6dca8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077580099 7 bytes {MOV EDX, 0xb6dc28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775810a5 7 bytes {MOV EDX, 0xb6dde8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007758111d 7 bytes {MOV EDX, 0xb6dd68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077581321 7 bytes {MOV EDX, 0xb6dce8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[2788] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[452] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[452] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007757f991 7 bytes {MOV EDX, 0x800a28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007757fbd5 7 bytes {MOV EDX, 0x800a68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007757fc05 7 bytes {MOV EDX, 0x8009a8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007757fc1d 7 bytes {MOV EDX, 0x800928; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007757fc35 7 bytes {MOV EDX, 0x800b28; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007757fc65 7 bytes {MOV EDX, 0x800b68; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007757fce5 7 bytes {MOV EDX, 0x800ae8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007757fcfd 7 bytes {MOV EDX, 0x800aa8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007757fd49 7 bytes {MOV EDX, 0x800868; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007757fe41 7 bytes {MOV EDX, 0x8008a8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077580099 7 bytes {MOV EDX, 0x800828; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775810a5 7 bytes {MOV EDX, 0x8009e8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007758111d 7 bytes {MOV EDX, 0x800968; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077581321 7 bytes {MOV EDX, 0x8008e8; JMP RDX} .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e21465 2 bytes [E2, 75] .text C:\Users\Lenovo\AppData\Local\Google\Chrome\Application\chrome.exe[4840] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e214bb 2 bytes [E2, 75] .text ... * 2 .text C:\windows\system32\wuauclt.exe[3376] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077276f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\wuauclt.exe[3376] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd3b9940 5 bytes JMP 000007fffd3a00b8 .text C:\windows\system32\wuauclt.exe[3376] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd3bbbb0 5 bytes JMP 000007fffd3a0038 .text C:\windows\system32\wuauclt.exe[3376] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd3a0138 ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\taskhost.exe [1792:1896] 000007fef89f2740 Thread C:\windows\system32\taskhost.exe [1792:2008] 000007fef9771010 Thread C:\windows\system32\taskhost.exe [1792:4548] 000007fef8795170 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@001f5dad70a7 0x6D 0x24 0x8F 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@3c8bfec4d7db 0xFE 0x7D 0x9B 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@e8e5d6766e8a 0xC3 0x23 0x4A 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@34c3ac9e114e 0x2D 0x4B 0x92 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@9471ac51da23 0x3B 0xC4 0xF3 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@bccfccf27970 0xD2 0x98 0xB0 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@001f5dad70a7 0x6D 0x24 0x8F 0x0F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@3c8bfec4d7db 0xFE 0x7D 0x9B 0xAF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@e8e5d6766e8a 0xC3 0x23 0x4A 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@34c3ac9e114e 0x2D 0x4B 0x92 0x8C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@9471ac51da23 0x3B 0xC4 0xF3 0xDA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@bccfccf27970 0xD2 0x98 0xB0 0xC6 ... ---- Files - GMER 2.1 ---- File C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000048 16721 bytes File C:\Users\Lenovo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MV5NH19\172d4d201c0f52f8548c46d4404b0e9d[1].htm 0 bytes File C:\Users\Lenovo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MV5NH19\7ef8acbf60b4b73f6fcd08ef1fe69bc7[1].htm 0 bytes File C:\Users\Lenovo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MV5NH19\e785994e2a654222b94ba6b0dc28be3a[1].htm 0 bytes ---- EOF - GMER 2.1 ----