GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-05 16:06:51 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\00000061 MAXTOR_STM380211AS rev.3.AAE 74,53GB Running: ndo3zdls.exe; Driver: C:\DOCUME~1\viola\USTAWI~1\Temp\kwxyipod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF2025A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF202657A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF206A85D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF20325C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF2032610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF20327AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF206A211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF2032532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF2032654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF203257A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF2026AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF2032764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF2027368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF2025B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF206AF23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF206B1D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF202AB3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF206AD8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF206ABF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF20256EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF235D67A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF2025B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF202AF32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF2027E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF20325EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF2032632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF20327CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF206A56D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF2032558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF202A436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF20326E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF20325A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF202A81E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF2032788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF235D41E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF206AA74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF2027CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF206A8C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF202781A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF236B3D8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF2069857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF2025BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF2025C34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF20271E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF2025788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF202595A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF206B02A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF20258E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF2027532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF2027694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF20259E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF2027020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF20271C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF2025C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF20265D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501FCC 12 Bytes [CE, 5B, 02, F2, 34, 5C, 02, ...] {INTO ; POP EBX; ADD DH, DL; XOR AL, 0x5c; ADD DH, DL; LOOP 0x7b; ADD DH, DL} .text ntkrnlpa.exe!ZwCallbackReturn + 2808 80502064 4 Bytes CALL C54222C1 .text ntkrnlpa.exe!ZwCallbackReturn + 2818 80502074 12 Bytes [32, 75, 02, F2, 94, 76, 02, ...] {XOR DH, [EBP+0x2]; XCHG ESP, EAX; JBE 0x9; LOOP 0x63; ADD DH, DL} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059BA02 4 Bytes CALL F20284FD \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF58903C0, 0x84E2FA, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\wscntfy.exe[528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[528] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[648] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[692] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[696] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[720] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[764] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[776] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[780] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[780] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[780] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[848] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[848] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes CALL 5F8FD1C1 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, EB, 08, 01] {SUB BL, CH; OR [ECX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes CALL 5F8FD6B1 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes JMP 5F8FD711 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91DF02 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes JMP E2FF0108 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes JMP 5F8FD771 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes JMP E2FF0108 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91DF73 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes CALL 5F8FD821 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91E0A1 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes JMP 5F8FDD71 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes JMP E2FF0108 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, EB, 08, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 014601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 014603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[992] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\viola\Moje dokumenty\Downloads\ndo3zdls.exe[1004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\viola\Moje dokumenty\Downloads\ndo3zdls.exe[1004] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1084] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1084] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1104] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1104] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\SqueakyChocolate\UpdateChecker\UpdateCheckerApp.exe[1240] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\SqueakyChocolate\UpdateChecker\UpdateCheckerApp.exe[1240] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1604] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1604] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1604] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text D:\PROGRAMY UŻYTKOWE\bin\jqs.exe[1624] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text D:\PROGRAMY UŻYTKOWE\bin\jqs.exe[1624] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[1640] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[1640] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[1652] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[1652] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1676] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1812] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe[1860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe[1860] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2796] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2796] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2860] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [18, 00, C3, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2860] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2860] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2860] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2860] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 48, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 4B, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 48, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 49, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC62 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 4A, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 49, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 4A, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ECD3 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 48, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EE01 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 49, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 4A, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 4B, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003F01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003F03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3300] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 40, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 43, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 40, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 41, 01, 01] {TEST AL, 0x41; ADD [ECX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91D75A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 42, 01, 01] {TEST AL, 0x42; ADD [ECX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 41, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 42, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91D7CB .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 40, 01, 01] {TEST AL, 0x40; ADD [ECX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91D8F9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 41, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 42, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 43, 01, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 013E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 013E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3860] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----