GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-18 17:30:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: xmhkve7b.exe; Driver: C:\Users\ZAWODO~1\AppData\Local\Temp\uwliafod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2024] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000765c87b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2024] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2024] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000707f1a22 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000707f1ad0 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000707f1b08 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000707f1bba 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000707f1bda 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000707f1a22 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000707f1ad0 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000707f1b08 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000707f1bba 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000707f1bda 2 bytes [7F, 70] .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Windows\SysWOW64\PnkBstrB.exe[2296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[2948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[2948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Windows\SysWOW64\RunDll32.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[1924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text D:\Program Files (x86)\Steam\Steam.exe[1080] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 0000000075ef549c 5 bytes JMP 00000001000f0800 .text D:\Program Files (x86)\Steam\Steam.exe[1080] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text D:\Program Files (x86)\Steam\Steam.exe[1080] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[9052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[9052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [9052] entry point in ".rdata" section 000000006cbd71e6 .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ff991 7 bytes {MOV EDX, 0x65a228; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771ffbd5 7 bytes {MOV EDX, 0x65a268; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771ffc05 7 bytes {MOV EDX, 0x65a1a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771ffc1d 7 bytes {MOV EDX, 0x65a128; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771ffc35 7 bytes {MOV EDX, 0x65a328; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771ffc65 7 bytes {MOV EDX, 0x65a368; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771ffce5 7 bytes {MOV EDX, 0x65a2e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771ffcfd 7 bytes {MOV EDX, 0x65a2a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771ffd49 7 bytes {MOV EDX, 0x65a068; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771ffe41 7 bytes {MOV EDX, 0x65a0a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077200099 7 bytes {MOV EDX, 0x65a028; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772010a5 7 bytes {MOV EDX, 0x65a1e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007720111d 7 bytes {MOV EDX, 0x65a168; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077201321 7 bytes {MOV EDX, 0x65a0e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ff991 7 bytes {MOV EDX, 0xbb7628; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771ffbd5 7 bytes {MOV EDX, 0xbb7668; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771ffc05 7 bytes {MOV EDX, 0xbb75a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771ffc1d 7 bytes {MOV EDX, 0xbb7528; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771ffc35 7 bytes {MOV EDX, 0xbb7728; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771ffc65 7 bytes {MOV EDX, 0xbb7768; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771ffce5 7 bytes {MOV EDX, 0xbb76e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771ffcfd 7 bytes {MOV EDX, 0xbb76a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771ffd49 7 bytes {MOV EDX, 0xbb7468; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771ffe41 7 bytes {MOV EDX, 0xbb74a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077200099 7 bytes {MOV EDX, 0xbb7428; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772010a5 7 bytes {MOV EDX, 0xbb75e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007720111d 7 bytes {MOV EDX, 0xbb7568; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077201321 7 bytes {MOV EDX, 0xbb74e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ff991 7 bytes {MOV EDX, 0xf5a228; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771ffbd5 7 bytes {MOV EDX, 0xf5a268; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771ffc05 7 bytes {MOV EDX, 0xf5a1a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771ffc1d 7 bytes {MOV EDX, 0xf5a128; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771ffc35 7 bytes {MOV EDX, 0xf5a328; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771ffc65 7 bytes {MOV EDX, 0xf5a368; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771ffce5 7 bytes {MOV EDX, 0xf5a2e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771ffcfd 7 bytes {MOV EDX, 0xf5a2a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771ffd49 7 bytes {MOV EDX, 0xf5a068; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771ffe41 7 bytes {MOV EDX, 0xf5a0a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077200099 7 bytes {MOV EDX, 0xf5a028; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772010a5 7 bytes {MOV EDX, 0xf5a1e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007720111d 7 bytes {MOV EDX, 0xf5a168; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077201321 7 bytes {MOV EDX, 0xf5a0e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ff991 7 bytes {MOV EDX, 0xcdba28; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771ffbd5 7 bytes {MOV EDX, 0xcdba68; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771ffc05 7 bytes {MOV EDX, 0xcdb9a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771ffc1d 7 bytes {MOV EDX, 0xcdb928; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771ffc35 7 bytes {MOV EDX, 0xcdbb28; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771ffc65 7 bytes {MOV EDX, 0xcdbb68; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771ffce5 7 bytes {MOV EDX, 0xcdbae8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771ffcfd 7 bytes {MOV EDX, 0xcdbaa8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771ffd49 7 bytes {MOV EDX, 0xcdb868; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771ffe41 7 bytes {MOV EDX, 0xcdb8a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077200099 7 bytes {MOV EDX, 0xcdb828; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772010a5 7 bytes {MOV EDX, 0xcdb9e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007720111d 7 bytes {MOV EDX, 0xcdb968; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077201321 7 bytes {MOV EDX, 0xcdb8e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[8928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000771ff991 7 bytes {MOV EDX, 0x8f3228; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000771ffbd5 7 bytes {MOV EDX, 0x8f3268; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000771ffc05 7 bytes {MOV EDX, 0x8f31a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000771ffc1d 7 bytes {MOV EDX, 0x8f3128; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000771ffc35 7 bytes {MOV EDX, 0x8f3328; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000771ffc65 7 bytes {MOV EDX, 0x8f3368; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000771ffce5 7 bytes {MOV EDX, 0x8f32e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000771ffcfd 7 bytes {MOV EDX, 0x8f32a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000771ffd49 7 bytes {MOV EDX, 0x8f3068; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000771ffe41 7 bytes {MOV EDX, 0x8f30a8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077200099 7 bytes {MOV EDX, 0x8f3028; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772010a5 7 bytes {MOV EDX, 0x8f31e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007720111d 7 bytes {MOV EDX, 0x8f3168; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077201321 7 bytes {MOV EDX, 0x8f30e8; JMP RDX} .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\AppData\Local\Google\Chrome\Application\chrome.exe[6952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 .text C:\Users\ZawodowieC\Desktop\xmhkve7b.exe[4076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Users\ZawodowieC\Desktop\xmhkve7b.exe[4076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2184:3652] 0000000074927587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2184:1792] 0000000068820cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2184:5036] 0000000077232e25 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2184:5784] 0000000077233e45 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2184:5936] 0000000077233e45 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2184:3736] 0000000077233e45 Thread C:\Windows\System32\svchost.exe [3256:3676] 000007feefcb9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1625d01 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1625d01@3017c853e5b8 0x6A 0x32 0x08 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1625d01@6c0e0d0b4a4a 0xBC 0xE3 0x19 0x68 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1625d01 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1625d01@3017c853e5b8 0x6A 0x32 0x08 0xF4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1625d01@6c0e0d0b4a4a 0xBC 0xE3 0x19 0x68 ... ---- EOF - GMER 2.1 ----