GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-18 02:24:25 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-007AA0 rev.05.01D05 465,76GB Running: gmer.exe; Driver: C:\Users\Czarek\AppData\Local\Temp\kwrdapog.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 820839A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 820A3512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91828000, 0x15061A, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x926F6000, 0xBB22, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9370C300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes [28, DC, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, DF, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes [68, DC, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes [A8, DD, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F775C0 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes [A8, DE, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes [68, DD, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes [68, DE, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F77651 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes [A8, DC, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F7780F C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes [28, DD, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes [28, DE, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, DF, 17, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes CALL 59F656F3 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, EB, E0, 00] {SUB BL, CH; LOOPNZ 0x4} .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes CALL 59F65E03 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes JMP 59F65EB3 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F83ECC C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes JMP E2FF00E0 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes JMP 59F65F33 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes JMP E2FF00E0 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F83F5D C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes CALL 59F66063 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F8411B C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes JMP 59F66763 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes JMP E2FF00E0 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, EB, E0, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4340] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [18, 10, 74, 5B] {SBB [EAX], DL; JZ 0x5f} .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4340] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes [28, 90, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, 93, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes [68, 90, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes [A8, 91, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F80574 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes [A8, 92, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes [68, 91, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes [68, 92, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F80605 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes [A8, 90, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F807C3 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes [28, 91, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes [28, 92, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, 93, A7, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4496] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes [28, 88, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, 8B, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes [68, 88, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes [A8, 89, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F7A46C C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes [A8, 8A, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes [68, 89, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes [68, 8A, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F7A4FD C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes [A8, 88, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F7A6BB C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes [28, 89, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes [28, 8A, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, 8B, 46, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[4988] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes CALL 59F65666 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, EB, 53, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes CALL 59F65D76 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes JMP 59F65E26 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F7B1CC C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes JMP E2FF0053 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes JMP 59F65EA6 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes JMP E2FF0053 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F7B25D C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes CALL 59F65FD6 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F7B41B C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes JMP 59F666D6 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes JMP E2FF0053 .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, EB, 53, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5280] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes [28, 38, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, 3B, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes [68, 38, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes [A8, 39, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F7C91C C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes [A8, 3A, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes [68, 39, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes [68, 3A, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F7C9AD C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes [A8, 38, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F7CB6B C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes [28, 39, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes [28, 3A, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, 3B, 6B, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtCreateFile + 6 76F7560E 4 Bytes [28, 5C, 8A, 00] {SUB [EDX+ECX*4+0x0], BL} .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtCreateFile + B 76F75613 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtMapViewOfSection + 6 76F75C6E 4 Bytes [28, 5F, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtMapViewOfSection + B 76F75C73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenFile + 6 76F75D1E 4 Bytes [68, 5C, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenFile + B 76F75D23 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenProcess + 6 76F75DCE 4 Bytes [A8, 5D, 8A, 00] {TEST AL, 0x5d; MOV AL, [EAX]} .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenProcess + B 76F75DD3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenProcessToken + 6 76F75DDE 4 Bytes CALL 75F7E840 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenProcessToken + B 76F75DE3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenProcessTokenEx + 6 76F75DEE 4 Bytes [A8, 5E, 8A, 00] {TEST AL, 0x5e; MOV AL, [EAX]} .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenProcessTokenEx + B 76F75DF3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenThread + 6 76F75E4E 4 Bytes [68, 5D, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenThread + B 76F75E53 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenThreadToken + 6 76F75E5E 4 Bytes [68, 5E, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenThreadToken + B 76F75E63 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenThreadTokenEx + 6 76F75E6E 4 Bytes CALL 75F7E8D1 C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtOpenThreadTokenEx + B 76F75E73 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtQueryAttributesFile + 6 76F75F7E 4 Bytes [A8, 5C, 8A, 00] {TEST AL, 0x5c; MOV AL, [EAX]} .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtQueryAttributesFile + B 76F75F83 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtQueryFullAttributesFile + 6 76F7602E 4 Bytes CALL 75F7EA8F C:\Windows\system32\SHELL32.dll .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtQueryFullAttributesFile + B 76F76033 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtSetInformationFile + 6 76F7667E 4 Bytes [28, 5D, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtSetInformationFile + B 76F76683 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtSetInformationThread + 6 76F766DE 4 Bytes [28, 5E, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtSetInformationThread + B 76F766E3 1 Byte [E2] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtUnmapViewOfSection + 6 76F769FE 4 Bytes [68, 5F, 8A, 00] .text C:\Users\Czarek\AppData\Local\Google\Chrome\Application\chrome.exe[7436] ntdll.dll!NtUnmapViewOfSection + B 76F76A03 1 Byte [E2] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7365249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73635652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73635710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7365251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7364857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73644D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [736450D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [736451AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [736466DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [736482D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73648824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73649085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7364E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73644C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x6C 0x81 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x32 0xD5 0xE8 0x64 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x6C 0x81 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x32 0xD5 0xE8 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{9C9F2AFD-FF53-11E0-8130-806E6F6E6963} 19293804520 ---- EOF - GMER 2.1 ----