GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-01-31 16:59:54 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3200021A rev.3.01 186,31GB Running: ivtgk6ds.exe; Driver: C:\Users\Alicja\AppData\Local\Temp\kwrdypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 82C7F9A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C9F512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtCreateFile + 6 77AF560E 4 Bytes [28, 94, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtCreateFile + B 77AF5613 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtMapViewOfSection + 6 77AF5C6E 4 Bytes [28, 97, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtMapViewOfSection + B 77AF5C73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenFile + 6 77AF5D1E 4 Bytes [68, 94, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenFile + B 77AF5D23 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenProcess + 6 77AF5DCE 4 Bytes [A8, 95, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenProcess + B 77AF5DD3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenProcessToken + B 77AF5DE3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenProcessTokenEx + 6 77AF5DEE 4 Bytes [A8, 96, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenProcessTokenEx + B 77AF5DF3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenThread + 6 77AF5E4E 4 Bytes [68, 95, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenThread + B 77AF5E53 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenThreadToken + 6 77AF5E5E 4 Bytes [68, 96, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenThreadToken + B 77AF5E63 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtOpenThreadTokenEx + B 77AF5E73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtQueryAttributesFile + 6 77AF5F7E 4 Bytes [A8, 94, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtQueryAttributesFile + B 77AF5F83 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtQueryFullAttributesFile + B 77AF6033 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtSetInformationFile + 6 77AF667E 4 Bytes [28, 95, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtSetInformationFile + B 77AF6683 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtSetInformationThread + 6 77AF66DE 4 Bytes [28, 96, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtSetInformationThread + B 77AF66E3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtUnmapViewOfSection + 6 77AF69FE 4 Bytes [68, 97, 98, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[1960] ntdll.dll!NtUnmapViewOfSection + B 77AF6A03 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtCreateFile + 6 77AF560E 4 Bytes [28, 54, 75, 00] {SUB [EBP+ESI*2+0x0], DL} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtCreateFile + B 77AF5613 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtMapViewOfSection + 6 77AF5C6E 4 Bytes [28, 57, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtMapViewOfSection + B 77AF5C73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenFile + 6 77AF5D1E 4 Bytes [68, 54, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenFile + B 77AF5D23 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenProcess + 6 77AF5DCE 4 Bytes [A8, 55, 75, 00] {TEST AL, 0x55; JNZ 0x4} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenProcess + B 77AF5DD3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenProcessToken + B 77AF5DE3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenProcessTokenEx + 6 77AF5DEE 4 Bytes [A8, 56, 75, 00] {TEST AL, 0x56; JNZ 0x4} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenProcessTokenEx + B 77AF5DF3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenThread + 6 77AF5E4E 4 Bytes [68, 55, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenThread + B 77AF5E53 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenThreadToken + 6 77AF5E5E 4 Bytes [68, 56, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenThreadToken + B 77AF5E63 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtOpenThreadTokenEx + B 77AF5E73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtQueryAttributesFile + 6 77AF5F7E 4 Bytes [A8, 54, 75, 00] {TEST AL, 0x54; JNZ 0x4} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtQueryAttributesFile + B 77AF5F83 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtQueryFullAttributesFile + B 77AF6033 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtSetInformationFile + 6 77AF667E 4 Bytes [28, 55, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtSetInformationFile + B 77AF6683 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtSetInformationThread + 6 77AF66DE 4 Bytes [28, 56, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtSetInformationThread + B 77AF66E3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtUnmapViewOfSection + 6 77AF69FE 4 Bytes [68, 57, 75, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2224] ntdll.dll!NtUnmapViewOfSection + B 77AF6A03 1 Byte [E2] CODE C:\Users\Alicja\AppData\Roaming\System32\svchost.exe[2372] C:\Users\Alicja\AppData\Roaming\System32\svchost.exe entry point in "CODE" section [0x00419BC4] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtCreateFile + 6 77AF560E 4 Bytes [28, 80, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtCreateFile + B 77AF5613 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtMapViewOfSection + 6 77AF5C6E 4 Bytes [28, 83, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtMapViewOfSection + B 77AF5C73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenFile + 6 77AF5D1E 4 Bytes [68, 80, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenFile + B 77AF5D23 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenProcess + 6 77AF5DCE 4 Bytes [A8, 81, 0C, 00] {TEST AL, 0x81; OR AL, 0x0} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenProcess + B 77AF5DD3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenProcessToken + B 77AF5DE3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenProcessTokenEx + 6 77AF5DEE 4 Bytes [A8, 82, 0C, 00] {TEST AL, 0x82; OR AL, 0x0} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenProcessTokenEx + B 77AF5DF3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenThread + 6 77AF5E4E 4 Bytes [68, 81, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenThread + B 77AF5E53 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenThreadToken + 6 77AF5E5E 4 Bytes [68, 82, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenThreadToken + B 77AF5E63 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtOpenThreadTokenEx + B 77AF5E73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtQueryAttributesFile + 6 77AF5F7E 4 Bytes [A8, 80, 0C, 00] {TEST AL, 0x80; OR AL, 0x0} .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtQueryAttributesFile + B 77AF5F83 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtQueryFullAttributesFile + B 77AF6033 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtSetInformationFile + 6 77AF667E 4 Bytes [28, 81, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtSetInformationFile + B 77AF6683 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtSetInformationThread + 6 77AF66DE 4 Bytes [28, 82, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtSetInformationThread + B 77AF66E3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtUnmapViewOfSection + 6 77AF69FE 4 Bytes [68, 83, 0C, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[2596] ntdll.dll!NtUnmapViewOfSection + B 77AF6A03 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtCreateFile + 6 77AF560E 4 Bytes [28, D8, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtCreateFile + B 77AF5613 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtMapViewOfSection + 6 77AF5C6E 4 Bytes [28, DB, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtMapViewOfSection + B 77AF5C73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenFile + 6 77AF5D1E 4 Bytes [68, D8, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenFile + B 77AF5D23 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcess + 6 77AF5DCE 4 Bytes [A8, D9, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcess + B 77AF5DD3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessToken + 6 77AF5DDE 4 Bytes CALL 76B019BC C:\Windows\system32\SHELL32.dll .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessToken + B 77AF5DE3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessTokenEx + 6 77AF5DEE 4 Bytes [A8, DA, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessTokenEx + B 77AF5DF3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThread + 6 77AF5E4E 4 Bytes [68, D9, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThread + B 77AF5E53 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadToken + 6 77AF5E5E 4 Bytes [68, DA, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadToken + B 77AF5E63 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadTokenEx + 6 77AF5E6E 4 Bytes CALL 76B01A4D C:\Windows\system32\SHELL32.dll .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadTokenEx + B 77AF5E73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryAttributesFile + 6 77AF5F7E 4 Bytes [A8, D8, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryAttributesFile + B 77AF5F83 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryFullAttributesFile + 6 77AF602E 4 Bytes CALL 76B01C0B C:\Windows\system32\SHELL32.dll .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryFullAttributesFile + B 77AF6033 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationFile + 6 77AF667E 4 Bytes [28, D9, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationFile + B 77AF6683 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationThread + 6 77AF66DE 4 Bytes [28, DA, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationThread + B 77AF66E3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtUnmapViewOfSection + 6 77AF69FE 4 Bytes [68, DB, BB, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtUnmapViewOfSection + B 77AF6A03 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtCreateFile + 6 77AF560E 4 Bytes [28, D0, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtCreateFile + B 77AF5613 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtMapViewOfSection + 6 77AF5C6E 4 Bytes [28, D3, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtMapViewOfSection + B 77AF5C73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenFile + 6 77AF5D1E 4 Bytes [68, D0, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenFile + B 77AF5D23 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenProcess + 6 77AF5DCE 4 Bytes [A8, D1, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenProcess + B 77AF5DD3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenProcessToken + 6 77AF5DDE 4 Bytes CALL 76B04BB4 C:\Windows\system32\SHELL32.dll .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenProcessToken + B 77AF5DE3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenProcessTokenEx + 6 77AF5DEE 4 Bytes [A8, D2, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenProcessTokenEx + B 77AF5DF3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenThread + 6 77AF5E4E 4 Bytes [68, D1, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenThread + B 77AF5E53 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenThreadToken + 6 77AF5E5E 4 Bytes [68, D2, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenThreadToken + B 77AF5E63 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenThreadTokenEx + 6 77AF5E6E 4 Bytes CALL 76B04C45 C:\Windows\system32\SHELL32.dll .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtOpenThreadTokenEx + B 77AF5E73 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtQueryAttributesFile + 6 77AF5F7E 4 Bytes [A8, D0, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtQueryAttributesFile + B 77AF5F83 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtQueryFullAttributesFile + 6 77AF602E 4 Bytes CALL 76B04E03 C:\Windows\system32\SHELL32.dll .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtQueryFullAttributesFile + B 77AF6033 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtSetInformationFile + 6 77AF667E 4 Bytes [28, D1, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtSetInformationFile + B 77AF6683 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtSetInformationThread + 6 77AF66DE 4 Bytes [28, D2, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtSetInformationThread + B 77AF66E3 1 Byte [E2] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtUnmapViewOfSection + 6 77AF69FE 4 Bytes [68, D3, ED, 00] .text C:\Users\Alicja\AppData\Local\Google\Chrome\Application\chrome.exe[4064] ntdll.dll!NtUnmapViewOfSection + B 77AF6A03 1 Byte [E2] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747424CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7472562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747256EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74742546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [747385AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74734D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74735105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747351DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74736707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74738301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74738850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [747390B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7473E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74734C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy8 NBVolUp.sys AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy9 NBVolUp.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 NBVol.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 NBVol.sys ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.vdm (size mismatch) 1205016/1354008 bytes executable File C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B42F2934-64EF-42AF-BD67-123CE7E98BAD} 0 bytes File C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B42F2934-64EF-42AF-BD67-123CE7E98BAD}\mpasbase.vdm 18474256 bytes executable File C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B42F2934-64EF-42AF-BD67-123CE7E98BAD}\mpasdlta.vdm 1354008 bytes executable File C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B42F2934-64EF-42AF-BD67-123CE7E98BAD}\mpengine.dll 7760024 bytes executable File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.VF 1942424 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin 3344119 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.67 7675904 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.7E 2015232 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.80 4788224 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.87 823296 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.A0 4165632 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.CB 16384 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.CC 12288 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.VE0 53530624 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-6D4BE2B6895CFBF219F17B9DBB1A8FC7062ABA0C.bin.VE1 5349376 bytes ---- EOF - GMER 2.1 ----