GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-31 14:39:39 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320423AS rev.D005SDM1 298,09GB Running: l1f5133p.exe; Driver: C:\Users\johnyQ\AppData\Local\Temp\kwrdipow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800031ae000 63 bytes [00, 00, 0D, 02, 4D, 64, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 624 fffff800031ae040 6 bytes [5F, 58, 11, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Users\johnyQ\AppData\Roaming\Spotify\spotify.exe[4228] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077b4000c 1 byte [C3] .text C:\Users\johnyQ\AppData\Roaming\Spotify\spotify.exe[4228] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077bcf85a 5 bytes JMP 0000000177b7d571 .text C:\Users\johnyQ\AppData\Roaming\Spotify\spotify.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Users\johnyQ\AppData\Roaming\Spotify\spotify.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Users\johnyQ\Desktop\OTL.exe[24660] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Users\johnyQ\Desktop\OTL.exe[24660] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5484] entry point in ".rdata" section 000000006bf971e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b4f991 7 bytes {MOV EDX, 0x348e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b4fbd5 7 bytes {MOV EDX, 0x348e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b4fc05 2 bytes [BA, A8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 8 0000000077b4fc08 4 bytes {XOR AL, 0x0; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b4fc1d 2 bytes [BA, 28] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 8 0000000077b4fc20 4 bytes {XOR AL, 0x0; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b4fc35 7 bytes {MOV EDX, 0x348f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b4fc65 7 bytes {MOV EDX, 0x348f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b4fce5 7 bytes {MOV EDX, 0x348ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b4fcfd 7 bytes {MOV EDX, 0x348ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b4fd49 7 bytes {MOV EDX, 0x348c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b4fe41 7 bytes {MOV EDX, 0x348ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b50099 7 bytes {MOV EDX, 0x348c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b510a5 2 bytes [BA, E8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 8 0000000077b510a8 4 bytes {XOR AL, 0x0; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b5111d 2 bytes [BA, 68] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 8 0000000077b51120 4 bytes {XOR AL, 0x0; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b51321 7 bytes {MOV EDX, 0x348ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[21540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Users\johnyQ\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[17216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Users\johnyQ\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[17216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b4f991 7 bytes {MOV EDX, 0xdb8e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b4fbd5 7 bytes {MOV EDX, 0xdb8e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b4fc05 2 bytes [BA, A8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 8 0000000077b4fc08 4 bytes {FILD DWORD [RAX]; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b4fc1d 2 bytes [BA, 28] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 8 0000000077b4fc20 4 bytes {FILD DWORD [RAX]; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b4fc35 7 bytes {MOV EDX, 0xdb8f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b4fc65 7 bytes {MOV EDX, 0xdb8f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b4fce5 7 bytes {MOV EDX, 0xdb8ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b4fcfd 7 bytes {MOV EDX, 0xdb8ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b4fd49 7 bytes {MOV EDX, 0xdb8c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b4fe41 7 bytes {MOV EDX, 0xdb8ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b50099 7 bytes {MOV EDX, 0xdb8c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b510a5 2 bytes [BA, E8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 8 0000000077b510a8 4 bytes {FILD DWORD [RAX]; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b5111d 2 bytes [BA, 68] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 8 0000000077b51120 4 bytes {FILD DWORD [RAX]; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b51321 7 bytes {MOV EDX, 0xdb8ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b4f991 7 bytes {MOV EDX, 0x1033628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b4fbd5 7 bytes {MOV EDX, 0x1033668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b4fc05 7 bytes {MOV EDX, 0x10335a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b4fc1d 7 bytes {MOV EDX, 0x1033528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b4fc35 7 bytes {MOV EDX, 0x1033728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b4fc65 7 bytes {MOV EDX, 0x1033768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b4fce5 7 bytes {MOV EDX, 0x10336e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b4fcfd 7 bytes {MOV EDX, 0x10336a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b4fd49 7 bytes {MOV EDX, 0x1033468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b4fe41 7 bytes {MOV EDX, 0x10334a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b50099 7 bytes {MOV EDX, 0x1033428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b510a5 7 bytes {MOV EDX, 0x10335e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b5111d 7 bytes {MOV EDX, 0x1033568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b51321 7 bytes {MOV EDX, 0x10334e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[17496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b4f991 7 bytes {MOV EDX, 0x3c2628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b4fbd5 7 bytes {MOV EDX, 0x3c2668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b4fc05 7 bytes {MOV EDX, 0x3c25a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b4fc1d 7 bytes {MOV EDX, 0x3c2528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b4fc35 7 bytes {MOV EDX, 0x3c2728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b4fc65 7 bytes {MOV EDX, 0x3c2768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b4fce5 7 bytes {MOV EDX, 0x3c26e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b4fcfd 7 bytes {MOV EDX, 0x3c26a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b4fd49 7 bytes {MOV EDX, 0x3c2468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b4fe41 7 bytes {MOV EDX, 0x3c24a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b50099 7 bytes {MOV EDX, 0x3c2428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b510a5 7 bytes {MOV EDX, 0x3c25e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b5111d 7 bytes {MOV EDX, 0x3c2568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b51321 7 bytes {MOV EDX, 0x3c24e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[20876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b4f991 7 bytes {MOV EDX, 0x155628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b4fbd5 7 bytes {MOV EDX, 0x155668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b4fc05 7 bytes {MOV EDX, 0x1555a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b4fc1d 7 bytes {MOV EDX, 0x155528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b4fc35 7 bytes {MOV EDX, 0x155728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b4fc65 7 bytes {MOV EDX, 0x155768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b4fce5 7 bytes {MOV EDX, 0x1556e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b4fcfd 7 bytes {MOV EDX, 0x1556a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b4fd49 7 bytes {MOV EDX, 0x155468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b4fe41 7 bytes {MOV EDX, 0x1554a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b50099 7 bytes {MOV EDX, 0x155428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b510a5 7 bytes {MOV EDX, 0x1555e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b5111d 7 bytes {MOV EDX, 0x155568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b51321 7 bytes {MOV EDX, 0x1554e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[28424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077b4f991 7 bytes {MOV EDX, 0x404228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077b4fbd5 7 bytes {MOV EDX, 0x404268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077b4fc05 7 bytes {MOV EDX, 0x4041a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077b4fc1d 7 bytes {MOV EDX, 0x404128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077b4fc35 7 bytes {MOV EDX, 0x404328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b4fc65 7 bytes {MOV EDX, 0x404368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077b4fce5 7 bytes {MOV EDX, 0x4042e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077b4fcfd 7 bytes {MOV EDX, 0x4042a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077b4fd49 7 bytes {MOV EDX, 0x404068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077b4fe41 7 bytes {MOV EDX, 0x4040a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077b50099 7 bytes {MOV EDX, 0x404028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077b510a5 7 bytes {MOV EDX, 0x4041e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077b5111d 7 bytes {MOV EDX, 0x404168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077b51321 7 bytes {MOV EDX, 0x4040e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075811465 2 bytes [81, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758114bb 2 bytes [81, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe[25124] @ C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll[USER32.dll!TrackPopupMenu] [13f60f090] C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe IAT C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe[25124] @ C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll[USER32.dll!GetFocus] [13f60f170] C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe IAT C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe[25124] @ C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll[USER32.dll!GetWindowInfo] [13f60f0e0] C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [964:1180] 000007fefae9ffc0 Thread C:\Windows\System32\svchost.exe [964:1184] 000007fefabd331c Thread C:\Windows\System32\svchost.exe [964:1556] 000007fef8e459a0 Thread C:\Windows\System32\svchost.exe [964:2624] 000007fefd1d1a70 Thread C:\Windows\System32\svchost.exe [964:2972] 000007fef6aaa2b0 Thread C:\Windows\System32\svchost.exe [964:3012] 000007fef69c20c0 Thread C:\Windows\System32\svchost.exe [964:3036] 000007fef69c26a8 Thread C:\Windows\System32\svchost.exe [964:4980] 000007fef7ef44e0 Thread C:\Windows\System32\svchost.exe [964:6780] 000007feec523efc Thread C:\Windows\System32\svchost.exe [964:6840] 000007feec568a4c Thread C:\Windows\System32\svchost.exe [964:2676] 000007fef98088f8 Thread C:\Windows\System32\svchost.exe [964:18192] 000007fefac914a0 Thread C:\Windows\System32\svchost.exe [964:24888] 000007fef69c29dc Thread C:\Windows\System32\svchost.exe [964:22976] 000007fef69c29dc Thread C:\Windows\system32\svchost.exe [312:1044] 000007fef99fce0c Thread C:\Windows\system32\svchost.exe [312:1076] 000007fef99fce0c Thread C:\Windows\system32\svchost.exe [312:3736] 000007fef607506c Thread C:\Windows\system32\svchost.exe [312:3740] 000007fef63a1c20 Thread C:\Windows\system32\svchost.exe [312:3744] 000007fef63a1c20 Thread C:\Windows\system32\svchost.exe [312:3528] 000007fefa7c5124 Thread C:\Windows\system32\svchost.exe [312:19968] 000007fef80a1ab0 Thread C:\Windows\system32\svchost.exe [312:20016] 000007fef7e4b68c Thread C:\Windows\system32\svchost.exe [312:24864] 000007fef8964164 Thread C:\Windows\system32\svchost.exe [1320:1784] 000007fefd1d1a70 Thread C:\Windows\system32\svchost.exe [1320:1796] 000007fefd1d1a70 Thread C:\Windows\system32\svchost.exe [1320:1808] 000007fefd1d1a70 Thread C:\Windows\system32\svchost.exe [1320:1824] 000007fef9a12c70 Thread C:\Windows\system32\svchost.exe [1320:1840] 000007fef9a1fb40 Thread C:\Windows\system32\svchost.exe [1320:1860] 000007fef9a31d20 Thread C:\Windows\system32\svchost.exe [1320:1864] 000007fef9a1f6f0 Thread C:\Windows\system32\svchost.exe [1320:1064] 000007fef99535c0 Thread C:\Windows\system32\svchost.exe [1320:2936] 000007fef9955600 Thread C:\Windows\system32\svchost.exe [1320:3056] 000007fef67d2888 Thread C:\Windows\system32\svchost.exe [1320:2088] 000007fef6622940 Thread C:\Windows\system32\svchost.exe [1320:4248] 000007fef67d2a40 Thread C:\Windows\system32\svchost.exe [1320:23784] 000007fefa565798 Thread C:\Windows\system32\WLANExt.exe [1572:1604] 00000001800ecd50 Thread C:\Windows\system32\WLANExt.exe [1572:1608] 0000000180090550 Thread C:\Windows\system32\WLANExt.exe [1572:1612] 00000001800ecd50 Thread C:\Windows\system32\WLANExt.exe [1572:2528] 000007fef8c22f9c Thread C:\Windows\system32\WLANExt.exe [1572:2560] 0000000001148bc8 Thread C:\Windows\system32\WLANExt.exe [1572:2564] 0000000001148be4 Thread C:\Windows\system32\WLANExt.exe [1572:2568] 0000000001148bac Thread C:\Windows\system32\WLANExt.exe [1572:2572] 000007fef8c22f9c Thread C:\Windows\system32\taskhost.exe [1664:1740] 000007fef8bd1f38 Thread C:\Windows\system32\taskhost.exe [1664:2496] 000007fefb971010 Thread C:\Windows\system32\taskhost.exe [1664:640] 000007fef9b95170 Thread C:\Windows\system32\svchost.exe [2364:2452] 000007fef7dc5fd0 Thread C:\Windows\system32\svchost.exe [2364:2468] 000007fef9633438 Thread C:\Windows\system32\svchost.exe [2364:2472] 000007fef7dc63ec Thread C:\Windows\system32\svchost.exe [2364:2480] 00000000724fa790 Thread C:\Windows\system32\svchost.exe [2364:2532] 000007fefb97a850 Thread C:\Windows\system32\svchost.exe [2964:12428] 000007fef8c22f9c Thread C:\Windows\System32\svchost.exe [848:25832] 000007fef9b95170 Thread C:\Windows\System32\svchost.exe [848:6008] 000007fefcf7ea40 Thread C:\Windows\System32\svchost.exe [848:4624] 000007fefa7c9874 Thread C:\Windows\System32\svchost.exe [6988:3920] 000007feeb769688 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [21608:21616] 000007feeff7cc10 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [21608:21620] 000007feefe3b564 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [21608:21648] 000007feefe3b564 ---- Processes - GMER 2.1 ---- Library C:\Windows\system32\SSCbFsMntNtf3.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1512] 0000000180000000 Library C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1512] 000007fee76a0000 Library C:\Windows\system32\SSCbFsMntNtf3.dll (*** suspicious ***) @ C:\Program Files\Opera x64\opera.exe [23440] 0000000180000000 Library C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (*** suspicious ***) @ C:\Program Files\Opera x64\opera.exe [23440] 000007fee76a0000 Library C:\Windows\system32\SSCbFsMntNtf3.dll (*** suspicious ***) @ C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe [25124] 0000000180000000 Library C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (*** suspicious ***) @ C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe [25124] 000007fee76a0000 Library C:\Windows\system32\SSCbFsNetRdr3.dll (*** suspicious ***) @ C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe [25124] 00000000035f0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C2992492-F27B-411E-8A40-757AFF00B1F7}\Connection@Name isatap.{F1542234-90F6-4FEA-8BD4-A52C1974C155} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{B7C58DE6-292F-4758-AB7E-A0F92A5FE34D}?\Device\{C2992492-F27B-411E-8A40-757AFF00B1F7}?\Device\{55E1AF37-E9B7-4D68-9B36-6AF7048CB818}?\Device\{955BC3E3-CAA8-4A6E-BCA6-8CA5EDDCF79B}?\Device\{C95945FE-39AC-40C8-9687-60D14EEA8012}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{B7C58DE6-292F-4758-AB7E-A0F92A5FE34D}"?"{C2992492-F27B-411E-8A40-757AFF00B1F7}"?"{55E1AF37-E9B7-4D68-9B36-6AF7048CB818}"?"{955BC3E3-CAA8-4A6E-BCA6-8CA5EDDCF79B}"?"{C95945FE-39AC-40C8-9687-60D14EEA8012}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{B7C58DE6-292F-4758-AB7E-A0F92A5FE34D}?\Device\TCPIP6TUNNEL_{C2992492-F27B-411E-8A40-757AFF00B1F7}?\Device\TCPIP6TUNNEL_{55E1AF37-E9B7-4D68-9B36-6AF7048CB818}?\Device\TCPIP6TUNNEL_{955BC3E3-CAA8-4A6E-BCA6-8CA5EDDCF79B}?\Device\TCPIP6TUNNEL_{C95945FE-39AC-40C8-9687-60D14EEA8012}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cf97363 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cf97363@d4206d0003a8 0x1E 0xC1 0x10 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cf97363@d4206d0004bb 0x0A 0xD7 0x48 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{C2992492-F27B-411E-8A40-757AFF00B1F7}@InterfaceName isatap.{F1542234-90F6-4FEA-8BD4-A52C1974C155} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{C2992492-F27B-411E-8A40-757AFF00B1F7}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 3422 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cf97363 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cf97363@d4206d0003a8 0x1E 0xC1 0x10 0xA7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cf97363@d4206d0004bb 0x0A 0xD7 0x48 0x0A ... ---- Files - GMER 2.1 ---- File C:\Users\johnyQ\AppData\Local\Google\Chrome\User Data\Profile 3\JumpListIcons\343F.tmp 0 bytes File C:\Users\johnyQ\AppData\Local\Google\Chrome\User Data\Profile 3\JumpListIcons\3440.tmp 0 bytes File C:\Users\johnyQ\AppData\Local\Google\Chrome\User Data\Profile 3\JumpListIcons\3441.tmp 150798 bytes File C:\Users\johnyQ\Dysk Google\Kardiologia\to są pytania od grupy z którą ja pisałem, podobno weszły.\desktop.ini 150 bytes File C:\Users\johnyQ\Dysk Google\Kardiologia\to są pytania od grupy z którą ja pisałem, podobno weszły.\fwdkardiopytania.zip 20344372 bytes File C:\Users\johnyQ\Dysk Google\Kardiologia\to są pytania od grupy z którą ja pisałem, podobno weszły.\test.rar 4656982 bytes File C:\Users\johnyQ\Dysk Google\Kardiologia\to są pytania od grupy z którą ja pisałem, podobno weszły.\tocoudaomisiznalewswoichmateriaach_miejlektu.zip 23246884 bytes ---- EOF - GMER 2.1 ----