GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-24 17:13:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MQ01ABF032 rev.AM001A 298,09GB Running: nges6zix.exe; Driver: C:\Users\BW\AppData\Local\Temp\uglcyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000177640128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000177640018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000001776401b0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000001776400a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0xfffffffffffd2590} .text C:\Windows\system32\svchost.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000177640128 .text C:\Windows\system32\svchost.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000177640018 .text C:\Windows\system32\svchost.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000001776401b0 .text C:\Windows\system32\svchost.exe[2220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000001776400a0 .text C:\Windows\system32\svchost.exe[2220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0xfffffffffffd2590} .text C:\Windows\System32\igfxtray.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Windows\System32\igfxtray.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Windows\System32\igfxtray.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Windows\System32\igfxtray.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Windows\System32\igfxtray.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Windows\System32\hkcmd.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Windows\System32\hkcmd.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Windows\System32\hkcmd.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Windows\System32\hkcmd.exe[3088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Windows\System32\hkcmd.exe[3088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Windows\System32\igfxpers.exe[3100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007796fc90 5 bytes JMP 00000001712019d0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007796fe54 5 bytes JMP 00000001712015f0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779700a8 5 bytes JMP 0000000171201bb0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768e3bab 5 bytes JMP 0000000171201760 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076a41401 2 bytes JMP 768fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076a41419 2 bytes JMP 768fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076a41431 2 bytes JMP 76978fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076a4144a 2 bytes CALL 768d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076a414dd 2 bytes JMP 769788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076a414f5 2 bytes JMP 76978aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076a4150d 2 bytes JMP 769787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076a41525 2 bytes JMP 76978b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076a4153d 2 bytes JMP 768efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076a41555 2 bytes JMP 768f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076a4156d 2 bytes JMP 76979089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076a41585 2 bytes JMP 76978bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076a4159d 2 bytes JMP 7697877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076a415b5 2 bytes JMP 768efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076a415cd 2 bytes JMP 768fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076a416b2 2 bytes JMP 76978f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076a416bd 2 bytes JMP 76978713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007796fc90 5 bytes JMP 00000001712019d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007796fe54 5 bytes JMP 00000001712015f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779700a8 5 bytes JMP 0000000171201bb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768e3bab 5 bytes JMP 0000000171201760 .text C:\Windows\SysWOW64\ctfmon.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007796fc90 5 bytes JMP 00000001712019d0 .text C:\Windows\SysWOW64\ctfmon.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007796fe54 5 bytes JMP 00000001712015f0 .text C:\Windows\SysWOW64\ctfmon.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779700a8 5 bytes JMP 0000000171201bb0 .text C:\Windows\SysWOW64\ctfmon.exe[3452] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768e3bab 5 bytes JMP 0000000171201760 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000177640128 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000177640018 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000001776401b0 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000001776400a0 .text C:\Windows\system32\svchost.exe[3644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0xfffffffffffd2590} .text C:\Windows\system32\SearchIndexer.exe[3704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Windows\system32\SearchIndexer.exe[3704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Windows\system32\SearchIndexer.exe[3704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3548] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3548] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3548] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 16 bytes JMP 0000000077920128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000777bda80 16 bytes [50, 48, B8, 5C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000777bdbf0 16 bytes [50, 48, B8, B4, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777bdc10 48 bytes [50, 48, B8, 30, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777bdc50 16 bytes [50, 48, B8, 80, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000777bdca0 32 bytes [50, 48, B8, D8, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bdce0 16 bytes [50, 48, B8, C0, 1E, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000777bdd80 16 bytes [50, 48, B8, 08, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bdf00 16 bytes [50, 48, B8, 84, 1D, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000777be970 16 bytes [50, 48, B8, 54, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777be9c0 16 bytes [50, 48, B8, 90, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000777beb10 16 bytes [50, 48, B8, 1C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000777bda80 16 bytes [50, 48, B8, 5C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000777bdbf0 16 bytes [50, 48, B8, B4, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777bdc10 48 bytes [50, 48, B8, 30, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777bdc50 16 bytes [50, 48, B8, 80, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000777bdca0 32 bytes [50, 48, B8, D8, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bdce0 16 bytes [50, 48, B8, C0, 1E, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000777bdd80 16 bytes [50, 48, B8, 08, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bdf00 16 bytes [50, 48, B8, 84, 1D, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000777be970 16 bytes [50, 48, B8, 54, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777be9c0 16 bytes [50, 48, B8, 90, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000777beb10 16 bytes [50, 48, B8, 1C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000777bda80 16 bytes [50, 48, B8, 5C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000777bdbf0 16 bytes [50, 48, B8, B4, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777bdc10 48 bytes [50, 48, B8, 30, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777bdc50 16 bytes [50, 48, B8, 80, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000777bdca0 32 bytes [50, 48, B8, D8, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bdce0 16 bytes [50, 48, B8, C0, 1E, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000777bdd80 16 bytes [50, 48, B8, 08, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bdf00 16 bytes [50, 48, B8, 84, 1D, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000777be970 16 bytes [50, 48, B8, 54, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777be9c0 16 bytes [50, 48, B8, 90, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000777beb10 16 bytes [50, 48, B8, 1C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Windows\system32\svchost.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000177640128 .text C:\Windows\system32\svchost.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000177640018 .text C:\Windows\system32\svchost.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000001776401b0 .text C:\Windows\system32\svchost.exe[5080] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000001776400a0 .text C:\Windows\system32\svchost.exe[5080] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0xfffffffffffd2590} .text C:\Windows\servicing\TrustedInstaller.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777bdc30 5 bytes JMP 0000000077920128 .text C:\Windows\servicing\TrustedInstaller.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Windows\servicing\TrustedInstaller.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Windows\servicing\TrustedInstaller.exe[3748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Windows\servicing\TrustedInstaller.exe[3748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007796fc90 5 bytes JMP 00000001712019d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007796fe54 5 bytes JMP 00000001712015f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779700a8 5 bytes JMP 0000000171201bb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768e3bab 5 bytes JMP 0000000171201760 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000777bda80 16 bytes [50, 48, B8, 5C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000777bdbf0 16 bytes [50, 48, B8, B4, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777bdc10 48 bytes [50, 48, B8, 30, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777bdc50 16 bytes [50, 48, B8, 80, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000777bdca0 32 bytes [50, 48, B8, D8, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bdce0 16 bytes [50, 48, B8, C0, 1E, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000777bdd80 16 bytes [50, 48, B8, 08, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bdf00 16 bytes [50, 48, B8, 84, 1D, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000777be970 16 bytes [50, 48, B8, 54, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777be9c0 16 bytes [50, 48, B8, 90, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000777beb10 16 bytes [50, 48, B8, 1C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000777bda80 16 bytes [50, 48, B8, 5C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000777bdbf0 16 bytes [50, 48, B8, B4, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777bdc10 48 bytes [50, 48, B8, 30, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000777bdc50 16 bytes [50, 48, B8, 80, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000777bdca0 32 bytes [50, 48, B8, D8, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bdce0 16 bytes [50, 48, B8, C0, 1E, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777bdd50 5 bytes JMP 0000000077920018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000777bdd80 16 bytes [50, 48, B8, 08, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000777bded0 5 bytes JMP 00000000779201b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bdf00 16 bytes [50, 48, B8, 84, 1D, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000777be970 16 bytes [50, 48, B8, 54, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777be9c0 16 bytes [50, 48, B8, 90, 1F, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000777beb10 16 bytes [50, 48, B8, 1C, 20, 7F, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766db10 1 byte JMP 00000000779200a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 000000007766db12 3 bytes {JMP 0x2b2590} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feebb087d0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feebb0861c] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feebb087b8] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feebb08920] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4428] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feebb087b0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feebb087d0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feebb0861c] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feebb087b8] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feebb08920] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4720] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feebb087b0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feebb087d0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feebb0861c] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feebb087b8] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feebb08920] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1848] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feebb087b0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feebb087d0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feebb0861c] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feebb087b8] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feebb08920] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2748] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feebb087b0] C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\chrome_child.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4b1463f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4b1463f@102f6b3175ec 0x17 0x7C 0x73 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4b1463f@d0db32b75e35 0x71 0x6A 0xE3 0x9F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4b1463f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4b1463f@102f6b3175ec 0x17 0x7C 0x73 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4b1463f@d0db32b75e35 0x71 0x6A 0xE3 0x9F ... ---- EOF - GMER 2.1 ----