GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-26 12:15:18 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 ST1000LM014-SSHD-8GB rev.LVD6 931,51GB Running: dyfjlx6m.exe; Driver: C:\Users\TEMP~1.DES\AppData\Local\Temp\fxldiuob.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\apphelp.dll [2420] entry point in ".rdata" section 0000000072cdf7c0 ? C:\Windows\SYSTEM32\iertutil.dll [2420] entry point in ".rdata" section 0000000070b7fcf0 ? C:\Windows\SYSTEM32\wship6.dll [2420] entry point in ".rdata" section 0000000070752470 ? C:\Windows\SYSTEM32\iertutil.dll [2612] entry point in ".rdata" section 0000000070b7fcf0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffaf07b5380 6 bytes {JMP QWORD [RIP+0x1bbc7a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffaf0815140 5 bytes [FF, 25, BA, BE, 1C] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffaf0815840 5 bytes [FF, 25, BA, B7, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xb323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3df7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 0E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0xd4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0x939da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x34079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffaedfa2af0 6 bytes {JMP QWORD [RIP+0x14ee50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffaedfc41d0 6 bytes {JMP QWORD [RIP+0x14ace2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x29fb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLDownloadToFileW 00000151016f1150 6 bytes {JMP QWORD [RIP+0x18feaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLDownloadToCacheFileW 00000151016f11e0 6 bytes {JMP QWORD [RIP+0x20fe1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLDownloadToCacheFileA 0000015101780ca0 6 bytes {JMP QWORD [RIP+0x1a035a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLDownloadToFileA 0000015101780e20 6 bytes {JMP QWORD [RIP+0x1601da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLOpenBlockingStreamA 0000015101780f70 6 bytes {JMP QWORD [RIP+0x22008a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLOpenBlockingStreamW 0000015101781050 6 bytes {JMP QWORD [RIP+0x1fffaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLOpenStreamA 00000151017812e0 6 bytes {JMP QWORD [RIP+0x1dfd1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8648] C:\Windows\System32\urlmon.dll!URLOpenStreamW 00000151017813b0 6 bytes {JMP QWORD [RIP+0x1bfc4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xb323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3df7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 0E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0xd4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0x939da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x34079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffaedfa2af0 6 bytes {JMP QWORD [RIP+0x14ee50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffaedfc41d0 6 bytes {JMP QWORD [RIP+0x14ace2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x29fb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7780] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffaedfa2af0 6 bytes {JMP QWORD [RIP+0x14ee50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffaedfc41d0 6 bytes {JMP QWORD [RIP+0x14ace2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x29fb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3140] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffaedfa2af0 6 bytes {JMP QWORD [RIP+0x14ee50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffaedfc41d0 6 bytes {JMP QWORD [RIP+0x14ace2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2afb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10156] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xd323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3ff7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 10] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0x344e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0xb39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x38079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 0000024d00252af0 6 bytes {JMP QWORD [RIP+0x16fe50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\SHELL32.dll!ShellExecuteW 0000024d002741d0 6 bytes {JMP QWORD [RIP+0x16ace2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2bfb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} ? C:\Windows\SYSTEM32\iertutil.dll [3596] entry point in ".rdata" section 0000000070b7fcf0 ? C:\Windows\SYSTEM32\dbgcore.DLL [3596] entry point in ".rdata" section 00000000704bc940 ? C:\Windows\SYSTEM32\NTASN1.dll [3596] entry point in ".rdata" section 000000006cb2a020 ? C:\Windows\SYSTEM32\wship6.dll [3596] entry point in ".rdata" section 0000000070752470 ? C:\Windows\system32\ncryptsslp.dll [3596] entry point in ".rdata" section 000000006cad04f0 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [3596] entry point in ".rdata" section 000000006b177ec0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xd323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3ff7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 10] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0x344e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0xb39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x38079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 000001663c3e2af0 6 bytes {JMP QWORD [RIP+0x162e50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\SHELL32.dll!ShellExecuteW 000001663c4041d0 6 bytes {JMP QWORD [RIP+0x15dce2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2bfb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xd323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3ff7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 10] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0x344e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0xb39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x38079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 000002a7c6122af0 6 bytes {JMP QWORD [RIP+0x15be50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\SHELL32.dll!ShellExecuteW 000002a7c61441d0 6 bytes {JMP QWORD [RIP+0x157ce2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2bfb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffaedfa2af0 6 bytes {JMP QWORD [RIP+0x14ee50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffaedfc41d0 6 bytes {JMP QWORD [RIP+0x14ace2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2afb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xd323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3ff7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 10] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0x344e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0xb39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x38079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 000002051e402af0 6 bytes {JMP QWORD [RIP+0x162e50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\SHELL32.dll!ShellExecuteW 000002051e4241d0 6 bytes {JMP QWORD [RIP+0x15dce2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2bfb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffaf05cddc0 6 bytes {JMP QWORD [RIP+0xd323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffaf05d1800 6 bytes {JMP QWORD [RIP+0x3ff7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffaf05d4a33 2 bytes [C5, 10] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffaf060c1c0 6 bytes {JMP QWORD [RIP+0x344e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffaf060d620 6 bytes {JMP QWORD [RIP+0xb39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffaf0610860 6 bytes {JMP QWORD [RIP+0x38079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 000002c080282af0 6 bytes {JMP QWORD [RIP+0x16ce50a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\SHELL32.dll!ShellExecuteW 000002c0802a41d0 6 bytes {JMP QWORD [RIP+0x167ce2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffaf0701470 6 bytes {JMP QWORD [RIP+0x2bfb8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffade45d220 6 bytes {JMP QWORD [RIP+0x3c3dda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffade484790 6 bytes {JMP QWORD [RIP+0x27c86a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffade48dfd0 6 bytes {JMP QWORD [RIP+0x2f302a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffade4d4320 6 bytes {JMP QWORD [RIP+0x2eccda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffade4de0d0 6 bytes {JMP QWORD [RIP+0x2c2f2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffade4ec8e0 6 bytes {JMP QWORD [RIP+0x31471a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffade4f3ea0 6 bytes {JMP QWORD [RIP+0x2ed15a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffade55d4a0 6 bytes {JMP QWORD [RIP+0x203b5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffade55dd90 6 bytes {JMP QWORD [RIP+0x1e326a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffade586190 6 bytes {JMP QWORD [RIP+0x19ae6a]} ? C:\Windows\system32\apphelp.dll [8020] entry point in ".rdata" section 0000000072cdf7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_vsnwprintf] [2c5000800000008] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!memmove] [410a] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!memcpy_s] [5f2001020130000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [4800000800180070] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_onexit] [20004900000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!__dllonexit] [8000000080032] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_initterm] [10201300000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_amsg_exit] [8001800700072] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_XcptFilter] [4a000000004800] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_free_locale] [800320028] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_get_current_locale] [1430a03c50024] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!__crtLCMapStringW] [2150000000000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_wcsdup] [18201300080010] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!sprintf_s] [800200070060e] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??_V@YAXPEAX@Z] [4b000000004800] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!abort] [18000800320040] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!memset] [410a06c60008] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_ismbblead] [b000000000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!___mb_cur_max_func] [18000b00760010] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!calloc] [760020000b0076] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!___lc_codepage_func] [48000800280048] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!___lc_handle_func] [380070000b0030] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!__pctype_func] [48000008] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!__uncaught_exception] [800320018004c] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!setlocale] [410a01c400080000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_unlock] [0] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_lock] [4800000800100070] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_errno] [50004d00000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!memcpy] [24000800080032] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!__CxxFrameHandler3] [410a08c6] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_CxxThrowException] [10004800000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [760018000b0008] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_callnewh] [b00760020000b] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!wcschr] [30000b00760028] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [760038000b0076] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [70000800402150] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??0bad_cast@@QEAA@AEBV0@@Z] [480000080048] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??0bad_cast@@QEAA@PEBD@Z] [320058004e0000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??1bad_cast@@UEAA@XZ] [9c7004000100008] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!malloc] [10001470a] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!free] [65a0010000b0000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_vsnprintf_s] [48000800180048] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [28000b00080020] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??0exception@@QEAA@XZ] [688003020130076] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??1exception@@UEAA@XZ] [2013000800382150] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_purecall] [48215006e60040] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!??3@YAXPEAX@Z] [8005000700008] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!wcscat_s] [4f000000004800] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[msvcrt.dll!_wcsicmp] [10000800320048] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[ntdll.dll!RtlLookupFunctionEntry] [b000000000000] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[ntdll.dll!RtlVirtualUnwind] [18000b00760010] IAT C:\Windows\system32\svchost.exe[512] @ C:\Windows\system32\enterpriseresourcemanager.dll[ntdll.dll!RtlCaptureContext] [760020000b0076] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffaede8002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8252] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffab4301ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffaede8002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9720] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffab4301ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffaede8002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5236] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffab4301ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1232] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffab4301ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffaede8002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7244] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffab4301ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffaede8002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffaede8006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffaf067002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9696] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffab4301ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll ---- Modules - GMER 2.2 ---- Module \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys fffff80cc82d0000-fffff80cc82de000 (57344 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [8760:764] fffff11708a06c20 ---- Services - GMER 2.2 ---- Service C:\Users\Krystian\AppData\Roaming\360bizhi\lpi\WpSvc.dll (*** hidden *** ) [AUTO] WpSvc <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x7A 0xC8 0xC6 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x9C 0xFD 0x50 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x7A 0xC8 0xC6 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x9C 0xFD 0x50 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 23 Reg HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance@ActiveShutdownDCL C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN15C40_28_07DD_1D^51AC4511CAE3489C86F1BBEC2B1C7C87@Timestamp 0x1D 0x0B 0x27 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 736 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1287294435 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 6905 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3557 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 17622 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 433 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 1086 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 7263 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 36 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 121 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 926 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 7422 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 663 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 241 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeMapTime 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 8350 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 8368 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 15713 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 8364 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 17608 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 10362 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 128 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 15418 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 6424 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 118 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 1871 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 396821 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x41 0x75 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 33588 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x66 0x3E 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 67 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 26 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 100 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 82 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 88 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 76 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 67 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 1017 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 772 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 7367 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x11 0x5F 0xC6 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 803023ba-e235-4ee7-b543-1503e6d Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{c1ba4c65-70a1-4994-967f-52897c6a3c8c} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2c6e856680e0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2c6e856680e0@00a0c6841efa 0xE2 0xF2 0x4D 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2c6e856680e0@7844054f91f2 0xFE 0x05 0x5A 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@DisplayName CDPUserSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{962faa8c-be26-471d-9329-84881d979033}@LastProbeTime 1482702010 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{613704E3-BBCF-4722-A578-5FEFE87219C1}@DefunctTimestamp 0x7E 0x2E 0x60 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@DisplayName Us?uga wiadomo?ci_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7@Timestamp 0x8C 0xD8 0xA9 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@DisplayName Synchronizuj hosta_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@DisplayName Dane kontaktowe_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 22 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?gru ?25 ?16, 09:41:36 PM???????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 61 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2936 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1904 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 22 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 431 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{60b545f3-84ad-47ce-add2-5b87de5fd3ca}@LeaseObtainedTime 1482698409 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{60b545f3-84ad-47ce-add2-5b87de5fd3ca}@T1 1482741609 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{60b545f3-84ad-47ce-add2-5b87de5fd3ca}@T2 1482774009 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{60b545f3-84ad-47ce-add2-5b87de5fd3ca}@LeaseTerminatesTime 1482784809 Reg HKLM\SYSTEM\CurrentControlSet\Services\ucdrv@ImagePath \??\C:\Windows\System32\drivers:ucdrv-x64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\ucdrv Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@DisplayName Magazyn danych u?ytkownika_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@DisplayName Dost?p do danych u?ytkownika_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xC9 0x5F 0x57 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xC9 0xC7 0x1B 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xC9 0xF7 0x92 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 14064 14070 14082 14092 14102 14122 14166 14176 14214 14220 14236 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@DisplayName Us?uga u?ytkownika powiadomie? WNS_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_8af31 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@ImagePath %SystemRoot%\System32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@DisplayName WallPaper Protection Service Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@DelayedAutostart 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc@Description ???????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc\Parameters@ServiceDll C:\Users\Krystian\AppData\Roaming\360bizhi\lpi\WpSvc.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc\Parameters@ServiceMain SM Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc\Parameters@Port 20531 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc\Parameters@LDT 1482697480 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpSvc ---- Files - GMER 2.2 ---- ADS C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys 47304 bytes executable ADS C:\Program Files (x86)\UCBrowser\Security:x64 739728 bytes executable ADS C:\Program Files (x86)\UCBrowser\Security:x86 602512 bytes executable ADS C:\Windows\System32\drivers:ucdrv-x64.sys 40424 bytes executable <-- ROOTKIT !!! ADS C:\Windows\System32\drivers:x64 739728 bytes executable ADS C:\Windows\System32\drivers:x86 602512 bytes executable File C:\Windows\Temp\WAX59A4.tmp (size mismatch) 11071488/0 bytes executable ---- Services - GMER 2.2 ---- Service C:\Windows\System32\drivers:ucdrv-x64.sys [SYSTEM] ucdrv <-- ROOTKIT !!! ---- EOF - GMER 2.2 ----