GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-07 14:52:24 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL032C 149,05GB Running: 9uihpsxe.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x90657A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9065857A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x906645C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x90664610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x906647AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x90664532] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x9070E6C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9066457A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x90658AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x90658CCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x90664764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x90659368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x90657B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9065CB3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x906576EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x9070E7A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x90657B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9065CF32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x90659E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x906645EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x90664632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x906647CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x90664558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9065C436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x906646E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x906645A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9065C81E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x90664788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x9070E546] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x90659CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x906599D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x90657BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x90657C34] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x9070E89E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x90657788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9065795A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x906578E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x90659532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x90659694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x906579E2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x9070E614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x906591C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x90657C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x906585D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C8DA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC7212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CCE460 4 Bytes [9C, 7A, 65, 90] {PUSHF ; JP 0x68; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CCE4E8 4 Bytes [7A, 85, 65, 90] {JP 0xffffff87; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CCE53C 8 Bytes [C4, 45, 66, 90, 10, 46, 66, ...] {LES EAX, [EBP+0x66]; NOP ; ADC [ESI+0x66], AL; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CCE548 4 Bytes [AA, 47, 66, 90] {STOSB ; INC EDI; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CCE564 4 Bytes [32, 45, 66, 90] {XOR AL, [EBP+0x66]; NOP } .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E894EF 4 Bytes CALL 9065A513 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82EA3357 4 Bytes CALL 9065A529 \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8B134CF2] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[408] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[412] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 4 Bytes [18, 10, 78, 73] {SBB [EAX], DL; JS 0x77} .text C:\Program Files\Google\Chrome\Application\chrome.exe[412] ntdll.dll!NtMapViewOfSection + B 77C75C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[412] ntdll.dll!LdrUnloadDll 77C8C8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[412] ntdll.dll!LdrLoadDll 77C922AE 5 Bytes JMP 000E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[412] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[464] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[476] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\services.exe[524] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\winlogon.exe[548] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text ... .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtCreateFile + 6 77C7560E 4 Bytes [28, 1C, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtCreateFile + B 77C75613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 4 Bytes [28, 1F, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtMapViewOfSection + B 77C75C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenFile + 6 77C75D1E 4 Bytes [68, 1C, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenFile + B 77C75D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenProcess + 6 77C75DCE 4 Bytes [A8, 1D, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenProcess + B 77C75DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenProcessToken + B 77C75DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenProcessTokenEx + 6 77C75DEE 4 Bytes [A8, 1E, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenProcessTokenEx + B 77C75DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenThread + 6 77C75E4E 4 Bytes [68, 1D, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenThread + B 77C75E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenThreadToken + 6 77C75E5E 4 Bytes [68, 1E, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenThreadToken + B 77C75E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtOpenThreadTokenEx + B 77C75E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtQueryAttributesFile + 6 77C75F7E 4 Bytes [A8, 1C, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtQueryAttributesFile + B 77C75F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtQueryFullAttributesFile + B 77C76033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtSetInformationFile + 6 77C7667E 4 Bytes [28, 1D, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtSetInformationFile + B 77C76683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtSetInformationThread + 6 77C766DE 4 Bytes [28, 1E, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtSetInformationThread + B 77C766E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtUnmapViewOfSection + 6 77C769FE 4 Bytes [68, 1F, 5E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!NtUnmapViewOfSection + B 77C76A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!LdrUnloadDll 77C8C8DE 5 Bytes JMP 007A03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] ntdll.dll!LdrLoadDll 77C922AE 5 Bytes JMP 007A01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[640] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\System32\igfxtray.exe[668] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[680] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[756] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[772] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1296] kernel32.dll!SetUnhandledExceptionFilter 76B2F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1296] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\notepad.exe[1304] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[1380] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1384] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\Explorer.EXE[1428] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text ... .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[2328] kernel32.dll!SetUnhandledExceptionFilter 76B2F5AB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[2328] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2340] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2428] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2508] kernel32.dll!SetUnhandledExceptionFilter 76B2F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2508] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\NetCrawl\bin\utilNetCrawl.exe[2548] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[2612] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtCreateFile + 6 77C7560E 4 Bytes [28, B0, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtCreateFile + B 77C75613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 4 Bytes [28, B3, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + B 77C75C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenFile + 6 77C75D1E 4 Bytes [68, B0, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenFile + B 77C75D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcess + 6 77C75DCE 4 Bytes [A8, B1, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcess + B 77C75DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessToken + B 77C75DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessTokenEx + 6 77C75DEE 4 Bytes [A8, B2, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessTokenEx + B 77C75DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThread + 6 77C75E4E 4 Bytes [68, B1, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThread + B 77C75E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadToken + 6 77C75E5E 4 Bytes [68, B2, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadToken + B 77C75E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadTokenEx + B 77C75E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryAttributesFile + 6 77C75F7E 4 Bytes [A8, B0, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryAttributesFile + B 77C75F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryFullAttributesFile + B 77C76033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationFile + 6 77C7667E 4 Bytes [28, B1, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationFile + B 77C76683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationThread + 6 77C766DE 4 Bytes [28, B2, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationThread + B 77C766E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + 6 77C769FE 4 Bytes [68, B3, 2E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + B 77C76A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!LdrUnloadDll 77C8C8DE 5 Bytes JMP 003B03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!LdrLoadDll 77C922AE 5 Bytes JMP 003B01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\ChomikBox\chomikbox.exe[2764] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[2872] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2896] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtCreateFile + 6 77C7560E 4 Bytes [28, 00, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtCreateFile + B 77C75613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 4 Bytes [28, 03, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtMapViewOfSection + B 77C75C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenFile + 6 77C75D1E 4 Bytes [68, 00, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenFile + B 77C75D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenProcess + 6 77C75DCE 4 Bytes [A8, 01, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenProcess + B 77C75DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenProcessToken + B 77C75DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenProcessTokenEx + 6 77C75DEE 4 Bytes [A8, 02, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenProcessTokenEx + B 77C75DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenThread + 6 77C75E4E 4 Bytes [68, 01, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenThread + B 77C75E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenThreadToken + 6 77C75E5E 4 Bytes [68, 02, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenThreadToken + B 77C75E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtOpenThreadTokenEx + B 77C75E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtQueryAttributesFile + 6 77C75F7E 4 Bytes [A8, 00, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtQueryAttributesFile + B 77C75F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtQueryFullAttributesFile + B 77C76033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtSetInformationFile + 6 77C7667E 4 Bytes [28, 01, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtSetInformationFile + B 77C76683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtSetInformationThread + 6 77C766DE 4 Bytes [28, 02, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtSetInformationThread + B 77C766E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtUnmapViewOfSection + 6 77C769FE 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtUnmapViewOfSection + 6 77C769FE 4 Bytes [68, 03, 35, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!NtUnmapViewOfSection + B 77C76A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!LdrUnloadDll 77C8C8DE 5 Bytes JMP 005203FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] ntdll.dll!LdrLoadDll 77C922AE 5 Bytes JMP 005201F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2944] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2948] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\NetCrawl\bin\NetCrawl.PurBrowse.exe[2972] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\conhost.exe[2988] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3084] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text ... .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtCreateFile + 6 77C7560E 4 Bytes [28, 30, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtCreateFile + B 77C75613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 4 Bytes [28, 33, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtMapViewOfSection + B 77C75C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenFile + 6 77C75D1E 4 Bytes [68, 30, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenFile + B 77C75D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcess + 6 77C75DCE 4 Bytes [A8, 31, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcess + B 77C75DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessToken + 6 77C75DDE 4 Bytes CALL 76C82A14 C:\Windows\system32\ole32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessToken + B 77C75DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessTokenEx + 6 77C75DEE 4 Bytes [A8, 32, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessTokenEx + B 77C75DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThread + 6 77C75E4E 4 Bytes [68, 31, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThread + B 77C75E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadToken + 6 77C75E5E 4 Bytes [68, 32, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadToken + B 77C75E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadTokenEx + 6 77C75E6E 4 Bytes CALL 76C82AA5 C:\Windows\system32\ole32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadTokenEx + B 77C75E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryAttributesFile + 6 77C75F7E 4 Bytes [A8, 30, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryAttributesFile + B 77C75F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryFullAttributesFile + 6 77C7602E 4 Bytes CALL 76C82C63 C:\Windows\system32\ole32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryFullAttributesFile + B 77C76033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationFile + 6 77C7667E 4 Bytes [28, 31, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationFile + B 77C76683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationThread + 6 77C766DE 4 Bytes [28, 32, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationThread + B 77C766E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtUnmapViewOfSection + 6 77C769FE 4 Bytes [68, 33, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtUnmapViewOfSection + B 77C76A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!LdrUnloadDll 77C8C8DE 5 Bytes JMP 00D803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!LdrLoadDll 77C922AE 5 Bytes JMP 00D801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3652] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[3660] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtCreateFile + 6 77C7560E 4 Bytes [28, 74, A8, 00] {SUB [EAX+EBP*4+0x0], DH} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtCreateFile + B 77C75613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtMapViewOfSection + 6 77C75C6E 4 Bytes [28, 77, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtMapViewOfSection + B 77C75C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenFile + 6 77C75D1E 4 Bytes [68, 74, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenFile + B 77C75D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenProcess + 6 77C75DCE 4 Bytes [A8, 75, A8, 00] {TEST AL, 0x75; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenProcess + B 77C75DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenProcessToken + 6 77C75DDE 4 Bytes CALL 76C80658 C:\Windows\system32\ole32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenProcessToken + B 77C75DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenProcessTokenEx + 6 77C75DEE 4 Bytes [A8, 76, A8, 00] {TEST AL, 0x76; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenProcessTokenEx + B 77C75DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenThread + 6 77C75E4E 4 Bytes [68, 75, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenThread + B 77C75E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenThreadToken + 6 77C75E5E 4 Bytes [68, 76, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenThreadToken + B 77C75E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenThreadTokenEx + 6 77C75E6E 4 Bytes CALL 76C806E9 C:\Windows\system32\ole32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtOpenThreadTokenEx + B 77C75E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtQueryAttributesFile + 6 77C75F7E 4 Bytes [A8, 74, A8, 00] {TEST AL, 0x74; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtQueryAttributesFile + B 77C75F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtQueryFullAttributesFile + 6 77C7602E 4 Bytes CALL 76C808A7 C:\Windows\system32\ole32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtQueryFullAttributesFile + B 77C76033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtSetInformationFile + 6 77C7667E 4 Bytes [28, 75, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtSetInformationFile + B 77C76683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtSetInformationThread + 6 77C766DE 4 Bytes [28, 76, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtSetInformationThread + B 77C766E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtUnmapViewOfSection + 6 77C769FE 4 Bytes [68, 77, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtUnmapViewOfSection + B 77C76A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!LdrUnloadDll 77C8C8DE 5 Bytes JMP 00B503FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!LdrLoadDll 77C922AE 5 Bytes JMP 00B501F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] KERNEL32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3716] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[4072] kernel32.dll!GetBinaryTypeW + 70 76B46AAC 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746A249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74685652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74685710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746A251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7469857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74694D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746950D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746951AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746966DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746982D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74698824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74699085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7469E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1428] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74694C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8555E1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8555c1f8]<< 8555c1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863bc948] 863bc948 Trace 3 CLASSPNP.SYS[8b77c59e] -> nt!IofCallDriver -> [0x85539608] 85539608 Trace 5 ACPI.sys[8b16c3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x855bc610] 855bc610 Trace \Driver\atapi[0x862dd2d8] -> IRP_MJ_CREATE -> 0x8555c1f8 8555c1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bb7936d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bb7936d@002345016c44 0xD1 0xFB 0x8F 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bb7936d@303855556cd1 0x5D 0x16 0x59 0x6A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bb7936d@00180fcf7b7d 0x59 0x30 0xB5 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bb7936d@6c8336142e91 0xB0 0xF4 0x91 0xD3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0x8F 0xED 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bb7936d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bb7936d@002345016c44 0xD1 0xFB 0x8F 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bb7936d@303855556cd1 0x5D 0x16 0x59 0x6A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bb7936d@00180fcf7b7d 0x59 0x30 0xB5 0x4E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bb7936d@6c8336142e91 0xB0 0xF4 0x91 0xD3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0x8F 0xED 0x7B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{24E0C56C-7FC6-11E1-B7C5-806E6F6E6963} 27344269480 ---- EOF - GMER 2.1 ----