GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-18 15:49:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002 465,76GB Running: 9wg45px7.exe; Driver: C:\Users\iwa\AppData\Local\Temp\uxriipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[4428] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_http_auth_create_response + 294 000000006ab32c36 4 bytes [24, D9, B9, 68] .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[4428] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_mp4_read_dec_config_descr + 435 000000006ab37e43 4 bytes [74, 4C, 09, 66] .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[4428] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_nut_add_sp + 70 000000006ab75de6 4 bytes [20, EF, B9, 68] .text C:\Users\iwa\AppData\Roaming\Dropbox\bin\Dropbox.exe[1036] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Users\iwa\AppData\Roaming\Dropbox\bin\Dropbox.exe[1036] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Windows\AsScrPro.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Windows\AsScrPro.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[4788] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[4788] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0x30de28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0x30de68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0x30dda8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0x30dd28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0x30df28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0x30df68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0x30dee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0x30dea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0x30dc68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0x30dca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0x30dc28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0x30dde8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0x30dd68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0x30dce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0xb07628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0xb07668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0xb075a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0xb07528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0xb07728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0xb07768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0xb076e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0xb076a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0xb07468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0xb074a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0xb07428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0xb075e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0xb07568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0xb074e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0xe65628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0xe65668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0xe655a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0xe65528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0xe65728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0xe65768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0xe656e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0xe656a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0xe65468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0xe654a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0xe65428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0xe655e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0xe65568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0xe654e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0x4f8628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0x4f8668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0x4f85a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0x4f8528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0x4f8728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0x4f8768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0x4f86e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0x4f86a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0x4f8468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0x4f84a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0x4f8428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0x4f85e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0x4f8568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0x4f84e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0x8f5628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0x8f5668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0x8f55a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0x8f5528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0x8f5728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0x8f5768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0x8f56e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0x8f56a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0x8f5468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0x8f54a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0x8f5428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0x8f55e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0x8f5568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0x8f54e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0xb30e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0xb30e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0xb30da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0xb30d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0xb30f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0xb30f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0xb30ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0xb30ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0xb30c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0xb30ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0xb30c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0xb30de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0xb30d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0xb30ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0xafb628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0xafb668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0xafb5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0xafb528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0xafb728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0xafb768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0xafb6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0xafb6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0xafb468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0xafb4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0xafb428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0xafb5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0xafb568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0xafb4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0x1cb228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0x1cb268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0x1cb1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0x1cb128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0x1cb328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0x1cb368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0x1cb2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0x1cb2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0x1cb068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0x1cb0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0x1cb028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0x1cb1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0x1cb168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0x1cb0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076fdf991 7 bytes {MOV EDX, 0xef7228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076fdfbd5 7 bytes {MOV EDX, 0xef7268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076fdfc05 7 bytes {MOV EDX, 0xef71a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076fdfc1d 7 bytes {MOV EDX, 0xef7128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076fdfc35 7 bytes {MOV EDX, 0xef7328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076fdfc65 7 bytes {MOV EDX, 0xef7368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076fdfce5 7 bytes {MOV EDX, 0xef72e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076fdfcfd 7 bytes {MOV EDX, 0xef72a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076fdfd49 7 bytes {MOV EDX, 0xef7068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076fdfe41 7 bytes {MOV EDX, 0xef70a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fe0099 7 bytes {MOV EDX, 0xef7028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fe10a5 7 bytes {MOV EDX, 0xef71e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fe111d 7 bytes {MOV EDX, 0xef7168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fe1321 7 bytes {MOV EDX, 0xef70e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074cd1465 2 bytes [CD, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074cd14bb 2 bytes [CD, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [6392:7116] 000007fee8329688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6644:6732] 000007fefb212a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6644:6740] 000007fee687d618 ---- EOF - GMER 2.1 ----