GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-28 23:27:49 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.0003SDM1 298,09GB Running: 9st2ei4y.exe; Driver: C:\Users\Ola\AppData\Local\Temp\uxriqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8D630AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8D6ED83C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8D6315B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8D63D6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8D63D704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8D63D89E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8D63D626] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8D6EDC16] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8D63D66E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8D6EDEA6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8D6EDF90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8D63D858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8D6323A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8D630B3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwDuplicateObject [0x8D6EE094] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x8D6ED914] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwLoadDriver [0x8D6EAAA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8D6EDCF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8D630BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8D635FE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8D632EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8D63D6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8D63D726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8D63D8C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8D63D64C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8D6354EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8D63D7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8D63D696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8D6358D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8D63D87C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8D6EDA94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8D632CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8D632A0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8D630C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8D630C6E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8D6EDDF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8D6307C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8D630994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8D630922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8D63256C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8D6326CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8D630A1C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8D6EDB62] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8D6321FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x8D6EAAD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8D630CD4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8D6ED9C6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 82C79B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB3BB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CBAFB0 4 Bytes [D6, 0A, 63, 8D] {SALC ; OR AH, [EBX-0x73]} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CBAFD8 4 Bytes [3C, D8, 6E, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CBB038 4 Bytes [B4, 15, 63, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CBB08C 8 Bytes [B8, D6, 63, 8D, 04, D7, 63, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CBB098 4 Bytes CALL E6A44F1F .text ... ---- User code sections - GMER 2.1 ---- .text D:\Programy\AVAST Software\Avast\AvastSvc.exe[1352] kernel32.dll!SetUnhandledExceptionFilter 7660F5FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text D:\Programy\AVAST Software\Avast\AvastUI.exe[3304] kernel32.dll!SetUnhandledExceptionFilter 7660F5FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtCreateFile + 6 775656B6 4 Bytes [28, 18, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtCreateFile + B 775656BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [28, 1B, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenFile + 6 77565DC6 4 Bytes [68, 18, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenFile + B 77565DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenProcess + 6 77565E76 4 Bytes [A8, 19, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenProcess + B 77565E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenProcessToken + B 77565E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenProcessTokenEx + 6 77565E96 4 Bytes [A8, 1A, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenProcessTokenEx + B 77565E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenThread + 6 77565EF6 4 Bytes [68, 19, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenThread + B 77565EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenThreadToken + 6 77565F06 4 Bytes [68, 1A, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenThreadToken + B 77565F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtOpenThreadTokenEx + B 77565F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtQueryAttributesFile + 6 77566026 4 Bytes [A8, 18, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtQueryAttributesFile + B 7756602B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtQueryFullAttributesFile + B 775660DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtSetInformationFile + 6 77566726 4 Bytes [28, 19, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtSetInformationFile + B 7756672B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtSetInformationThread + 6 77566786 4 Bytes [28, 1A, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtSetInformationThread + B 7756678B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 4 Bytes [68, 1B, F0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!NtUnmapViewOfSection + B 77566AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 00F603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[6104] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 00F601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtCreateFile + 6 775656B6 4 Bytes [28, 84, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtCreateFile + B 775656BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [28, 87, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenFile + 6 77565DC6 4 Bytes [68, 84, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenFile + B 77565DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenProcess + 6 77565E76 4 Bytes [A8, 85, 70, 00] {TEST AL, 0x85; JO 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenProcess + B 77565E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenProcessToken + B 77565E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenProcessTokenEx + 6 77565E96 4 Bytes [A8, 86, 70, 00] {TEST AL, 0x86; JO 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenProcessTokenEx + B 77565E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenThread + 6 77565EF6 4 Bytes [68, 85, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenThread + B 77565EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenThreadToken + 6 77565F06 4 Bytes [68, 86, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenThreadToken + B 77565F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtOpenThreadTokenEx + B 77565F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtQueryAttributesFile + 6 77566026 4 Bytes [A8, 84, 70, 00] {TEST AL, 0x84; JO 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtQueryAttributesFile + B 7756602B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtQueryFullAttributesFile + B 775660DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtSetInformationFile + 6 77566726 4 Bytes [28, 85, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtSetInformationFile + B 7756672B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtSetInformationThread + 6 77566786 4 Bytes [28, 86, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtSetInformationThread + B 7756678B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 4 Bytes [68, 87, 70, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!NtUnmapViewOfSection + B 77566AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 008D03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[7692] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 008D01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtCreateFile + 6 775656B6 4 Bytes [28, D8, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtCreateFile + B 775656BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [28, DB, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenFile + 6 77565DC6 4 Bytes [68, D8, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenFile + B 77565DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenProcess + 6 77565E76 4 Bytes [A8, D9, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenProcess + B 77565E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenProcessToken + B 77565E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenProcessTokenEx + 6 77565E96 4 Bytes [A8, DA, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenProcessTokenEx + B 77565E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenThread + 6 77565EF6 4 Bytes [68, D9, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenThread + B 77565EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenThreadToken + 6 77565F06 4 Bytes [68, DA, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenThreadToken + B 77565F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtOpenThreadTokenEx + B 77565F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtQueryAttributesFile + 6 77566026 4 Bytes [A8, D8, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtQueryAttributesFile + B 7756602B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtQueryFullAttributesFile + B 775660DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtSetInformationFile + 6 77566726 4 Bytes [28, D9, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtSetInformationFile + B 7756672B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtSetInformationThread + 6 77566786 4 Bytes [28, DA, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtSetInformationThread + B 7756678B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 4 Bytes [68, DB, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!NtUnmapViewOfSection + B 77566AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 007F03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[8236] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 007F01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtCreateFile + 6 775656B6 4 Bytes [28, B4, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtCreateFile + B 775656BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [28, B7, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenFile + 6 77565DC6 4 Bytes [68, B4, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenFile + B 77565DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenProcess + 6 77565E76 4 Bytes [A8, B5, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenProcess + B 77565E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenProcessToken + B 77565E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenProcessTokenEx + 6 77565E96 4 Bytes [A8, B6, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenProcessTokenEx + B 77565E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenThread + 6 77565EF6 4 Bytes [68, B5, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenThread + B 77565EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenThreadToken + 6 77565F06 4 Bytes [68, B6, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenThreadToken + B 77565F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtOpenThreadTokenEx + B 77565F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtQueryAttributesFile + 6 77566026 4 Bytes [A8, B4, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtQueryAttributesFile + B 7756602B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtQueryFullAttributesFile + B 775660DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtSetInformationFile + 6 77566726 4 Bytes [28, B5, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtSetInformationFile + B 7756672B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtSetInformationThread + 6 77566786 4 Bytes [28, B6, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtSetInformationThread + B 7756678B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 4 Bytes [68, B7, C3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!NtUnmapViewOfSection + B 77566AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 00CF03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[8488] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 00CF01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtCreateFile + 6 775656B6 4 Bytes [28, 00, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtCreateFile + B 775656BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtMapViewOfSection + 6 77565D16 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [28, 03, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenFile + 6 77565DC6 4 Bytes [68, 00, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenFile + B 77565DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenProcess + 6 77565E76 4 Bytes [A8, 01, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenProcess + B 77565E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenProcessToken + B 77565E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenProcessTokenEx + 6 77565E96 4 Bytes [A8, 02, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenProcessTokenEx + B 77565E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenThread + 6 77565EF6 4 Bytes [68, 01, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenThread + B 77565EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenThreadToken + 6 77565F06 4 Bytes [68, 02, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenThreadToken + B 77565F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtOpenThreadTokenEx + B 77565F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtQueryAttributesFile + 6 77566026 4 Bytes [A8, 00, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtQueryAttributesFile + B 7756602B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtQueryFullAttributesFile + B 775660DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtSetInformationFile + 6 77566726 4 Bytes [28, 01, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtSetInformationFile + B 7756672B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtSetInformationThread + 6 77566786 4 Bytes [28, 02, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtSetInformationThread + B 7756678B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 4 Bytes [68, 03, BC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!NtUnmapViewOfSection + B 77566AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 00C803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[8604] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 00C801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[10012] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [18, 20, 73, 6B] {SBB [EAX], AH; JAE 0x6f} .text C:\Program Files\Google\Chrome\Application\chrome.exe[10012] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10012] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 000E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[10012] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 000E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtCreateFile + 6 775656B6 4 Bytes [28, 44, 35, 00] {SUB [EBP+ESI+0x0], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtCreateFile + B 775656BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtMapViewOfSection + 6 77565D16 4 Bytes [28, 47, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtMapViewOfSection + B 77565D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenFile + 6 77565DC6 4 Bytes [68, 44, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenFile + B 77565DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenProcess + 6 77565E76 4 Bytes [A8, 45, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenProcess + B 77565E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenProcessToken + B 77565E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenProcessTokenEx + 6 77565E96 4 Bytes [A8, 46, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenProcessTokenEx + B 77565E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenThread + 6 77565EF6 4 Bytes [68, 45, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenThread + B 77565EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenThreadToken + 6 77565F06 4 Bytes [68, 46, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenThreadToken + B 77565F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtOpenThreadTokenEx + B 77565F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtQueryAttributesFile + 6 77566026 4 Bytes [A8, 44, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtQueryAttributesFile + B 7756602B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtQueryFullAttributesFile + B 775660DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtSetInformationFile + 6 77566726 4 Bytes [28, 45, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtSetInformationFile + B 7756672B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtSetInformationThread + 6 77566786 4 Bytes [28, 46, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtSetInformationThread + B 7756678B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtUnmapViewOfSection + 6 77566AA6 4 Bytes [68, 47, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!NtUnmapViewOfSection + B 77566AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!LdrUnloadDll 7757CBCE 5 Bytes JMP 003B03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[10048] ntdll.dll!LdrLoadDll 77582576 5 Bytes JMP 003B01F8 ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 3092 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2267 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{586E20D4-C241-4DBE-9CE6-C6D70306E8BF}@LeaseObtainedTime 1446065517 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{586E20D4-C241-4DBE-9CE6-C6D70306E8BF}@T1 1446069117 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{586E20D4-C241-4DBE-9CE6-C6D70306E8BF}@T2 1446071817 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{586E20D4-C241-4DBE-9CE6-C6D70306E8BF}@LeaseTerminatesTime 1446072717 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Programy\Virtual Router\VirtualRouterService.exe 0x53 0x23 0xB2 0x40 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Programy\Virtual Router\VirtualRouterClient.exe 0x80 0x38 0xB0 0x6A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x38 0x2E 0xD1 0x8A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0x0E 0xEE 0x11 0x74 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe 0x89 0x09 0x49 0x8E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe 0x3D 0x27 0x01 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe 0x2C 0x49 0x46 0x72 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\mmc.exe 0xBE 0x65 0x6F 0xA2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\GfxUI.exe 0xCC 0xB5 0xF0 0x68 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x06 0x8B 0x5F 0x81 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x11 0xB8 0xB0 0xF4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\Ola\AppData\Local\Temp\n7486\s7486.exe 0xB5 0x0F 0x7B 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\wermgr.exe 0x37 0x9C 0x60 0x4D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe 0xBA 0xC0 0x72 0xE2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\Ola\AppData\Local\Apps\2.0\JYJER2E2.NQJ\J48E00AX.C3A\clic..tion_0000000000000000_0001.0000_4b4cffa95e48949e\ClickOnceSetup.exe 0xB7 0xB4 0x07 0xE6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\Ola\Downloads\FRST.exe 0x94 0xE5 0x06 0xA1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xEA 0x3E 0x9A 0x8A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x72 0x84 0x20 0x7E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0x7F 0x5A 0xC9 0xEE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe 0xF7 0xEF 0x6A 0x10 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\SearchProtocolHost.exe 0xCE 0x41 0x5D 0xD5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe 0x6D 0x6F 0xA6 0xFB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\explorer.exe 0x43 0x60 0x52 0xD0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Ola\AppData\Local\Temp\RarSFX0\Installer.exe 0x91 0x64 0xBC 0x29 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Ola\AppData\Local\Temp\RarSFX1\DPE.exe 0x71 0xBC 0x1C 0x43 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\DNS Unlocker\dnshugo.exe 0x18 0x49 0x4B 0x4E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Ola\Downloads\FRST.exe 0x0B 0xA7 0xAA 0x9C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@7FACB8F0 116 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{4CA1F044-9524-11E4-BCB3-806E6F6E6963} 3159514184 ---- EOF - GMER 2.1 ----