GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-09 13:08:22 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12 WDC_WD5000AAKS-00YGA0 rev.12.01C02 465,76GB Running: 12xu3ott.exe; Driver: C:\DOCUME~1\ROBI\USTAWI~1\Temp\pgwdiaow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xEBB90AA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xEBB9157E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xEBBD585D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xEBB9D5C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xEBB9D614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xEBB9D7AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xEBBD5211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xEBB9D536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xEBB9D658] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xEBB9D57E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xEBB91AB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xEBB9D768] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xEBB9236C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xEBB90B06] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xEBBD5F23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xEBBD61D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xEBB95B40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xEBBD5D8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xEBBD5BF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xEBB906F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xEB45E7B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xEBB90B6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xEBB95F36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xEBB92E54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xEBB9D5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xEBB9D636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xEBB9D7D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xEBBD556D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xEBB9D55C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xEBB9543A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xEBB9D6E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xEBB9D5A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xEBB95822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xEBB9D78C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xEB45E556] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xEBBD5A74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xEBB92CC8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xEBBD58C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xEBB9281E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xEB46C526] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xEBBD4857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xEBB90BD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xEBB90C38] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xEBB921E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xEBB9078C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xEBB9095E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xEBBD602A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xEBB908EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xEBB92536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xEBB92698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xEBB909E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xEBB92024] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xEBB921C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xEBB90C9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xEBB915DA] INT 0x63 ? FCC43044 INT 0x73 ? FC80E46C INT 0x83 ? FCC9A044 INT 0x84 ? FC8E53CC INT 0x92 ? FCA673CC INT 0x94 ? FC8DF3CC INT 0xA4 ? FCA82BEC INT 0xB1 ? FCCEB2AC INT 0xB4 ? FC9DF8E4 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 E0BCF8BC 12 Bytes [D2, 0B, B9, EB, 38, 0C, B9, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C E0BCF964 12 Bytes [36, 25, B9, EB, 98, 26, B9, ...] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF47C1000, 0xEDC62, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE[172] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE[172] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[376] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[376] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[664] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[728] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[768] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[768] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[824] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[860] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1008] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1184] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1184] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1316] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1316] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text E:\Programy\Avast\AvastUI.exe[1344] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text E:\Programy\Avast\AvastUI.exe[1344] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text E:\Programy\Avast\AvastUI.exe[1344] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1436] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text E:\Programy\Avast\AvastSvc.exe[1616] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text E:\Programy\Avast\AvastSvc.exe[1616] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text E:\Programy\Avast\AvastSvc.exe[1616] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1752] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1776] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1988] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1988] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2012] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2012] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[2020] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2036] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [18, 10, C4, 01] {SBB [EAX], DL; LES EAX, [ECX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2036] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2036] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2036] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2036] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2036] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2068] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2068] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2252] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[2252] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 08, 75, 00] {SUB [EAX], CL; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 0B, 75, 00] {SUB [EBX], CL; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 08, 75, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 09, 75, 00] {TEST AL, 0x9; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B914B22 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 0A, 75, 00] {TEST AL, 0xa; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 09, 75, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 0A, 75, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B914B93 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 08, 75, 00] {TEST AL, 0x8; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B914CC1 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 09, 75, 00] {SUB [ECX], CL; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 0A, 75, 00] {SUB [EDX], CL; JNZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 0B, 75, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B301F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 00B303FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\ROBI\Moje dokumenty\Downloads\12xu3ott.exe[2544] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\ROBI\Moje dokumenty\Downloads\12xu3ott.exe[2544] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2680] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[3144] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[3144] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3336] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3336] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 1C, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 1F, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 1C, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 1D, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F436 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 1E, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 1D, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 1E, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F4A7 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 1C, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F5D5 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 1D, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 1E, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 1F, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 006901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 006903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3548] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[4024] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[4024] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[812] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[812] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----