GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-09 23:08:10 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-80ZEST0 rev.01.01A01 298,09GB Running: 5xpei5o7.exe; Driver: C:\Users\Jacek\AppData\Local\Temp\kwddykog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8B70EBA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8B70F684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8B71B6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8B71B744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8B71B8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8B71B666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x90A35DF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8B71B6AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x90A36080] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x90A3616A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8B71B898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8B710472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8B70EC0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8B713C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8B70E7F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x90A35ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8B70EC72] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x90EB65D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x90EB6700] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8B71B722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8B71B766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8B71B902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8B71B68C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x90EB6010] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8B71B816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8B71B6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8B71394C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8B71B8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x90A35C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8B710DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8B710ADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8B70ECD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8B70ED3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x90A35FCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8B70E892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8B70EA64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8B70E9F2] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x90EB6300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x90EB63E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8B70EAEC] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x90EB6120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x90EB6210] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8B70EDA4] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x90EB64D0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E7DA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB7212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82EBE460 4 Bytes [A6, EB, 70, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82EBE4E8 4 Bytes [84, F6, 70, 8B] {TEST DH, DH; JO 0xffffff8f} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82EBE53C 8 Bytes [F8, B6, 71, 8B, 44, B7, 71, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82EBE548 4 Bytes [DE, B8, 71, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82EBE564 4 Bytes [66, B6, 71, 8B] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 830794EF 4 Bytes CALL 8B711641 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 83093357 4 Bytes CALL 8B711657 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92407000, 0x136CEC, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[404] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[524] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[532] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\winlogon.exe[580] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text ... .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtCreateFile + 6 777D560E 4 Bytes [28, 38, 22, 00] {SUB [EAX], BH; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtCreateFile + B 777D5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtMapViewOfSection + 6 777D5C6E 4 Bytes [28, 3B, 22, 00] {SUB [EBX], BH; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtMapViewOfSection + B 777D5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenFile + 6 777D5D1E 4 Bytes [68, 38, 22, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenFile + B 777D5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenProcess + 6 777D5DCE 4 Bytes [A8, 39, 22, 00] {TEST AL, 0x39; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenProcess + B 777D5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenProcessToken + B 777D5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenProcessTokenEx + 6 777D5DEE 4 Bytes [A8, 3A, 22, 00] {TEST AL, 0x3a; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenProcessTokenEx + B 777D5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenThread + 6 777D5E4E 4 Bytes [68, 39, 22, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenThread + B 777D5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenThreadToken + 6 777D5E5E 4 Bytes [68, 3A, 22, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenThreadToken + B 777D5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtOpenThreadTokenEx + B 777D5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtQueryAttributesFile + 6 777D5F7E 4 Bytes [A8, 38, 22, 00] {TEST AL, 0x38; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtQueryAttributesFile + B 777D5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtQueryFullAttributesFile + B 777D6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtSetInformationFile + 6 777D667E 4 Bytes [28, 39, 22, 00] {SUB [ECX], BH; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtSetInformationFile + B 777D6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtSetInformationThread + 6 777D66DE 4 Bytes [28, 3A, 22, 00] {SUB [EDX], BH; AND AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtSetInformationThread + B 777D66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtUnmapViewOfSection + 6 777D69FE 4 Bytes [68, 3B, 22, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!NtUnmapViewOfSection + B 777D6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!LdrUnloadDll 777EC8DE 5 Bytes JMP 002F03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] ntdll.dll!LdrLoadDll 777F22AE 5 Bytes JMP 002F01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[712] KERNEL32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[748] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\atiesrxx.exe[928] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text ... .text C:\Program Files\Google\Chrome\Application\chrome.exe[2040] ntdll.dll!NtMapViewOfSection + 6 777D5C6E 4 Bytes [18, 20, 04, 6F] {SBB [EAX], AH; ADD AL, 0x6f} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2040] ntdll.dll!NtMapViewOfSection + B 777D5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2040] ntdll.dll!LdrUnloadDll 777EC8DE 5 Bytes JMP 001E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2040] ntdll.dll!LdrLoadDll 777F22AE 5 Bytes JMP 001E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2040] KERNEL32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\ATK0100\HControl.exe[2088] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\AVG\AVG2013\avgnsx.exe[2108] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\AVG\AVG2013\avgemcx.exe[2124] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\AVG\AVG2013\avgui.exe[2132] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text ... .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!SetScrollRange 76F28EC5 5 Bytes JMP 014D9987 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!GetScrollInfo 76F32DA3 5 Bytes JMP 014D991A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!SetScrollInfo 76F348DA 5 Bytes JMP 014D99BE C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!GetScrollRange 76F5045A 5 Bytes JMP 014D98BD C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!SetScrollPos 76F504BE 5 Bytes JMP 014D9898 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!GetScrollPos 76F50E43 5 Bytes JMP 014D98F5 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!EnableScrollBar 76F519CE 5 Bytes JMP 014D99F2 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3008] USER32.dll!ShowScrollBar 76F53C89 5 Bytes JMP 014D994D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtCreateFile + 6 777D560E 4 Bytes [28, D0, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtCreateFile + B 777D5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + 6 777D5C6E 4 Bytes [28, D3, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + B 777D5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenFile + 6 777D5D1E 4 Bytes [68, D0, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenFile + B 777D5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcess + 6 777D5DCE 4 Bytes [A8, D1, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcess + B 777D5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessToken + B 777D5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessTokenEx + 6 777D5DEE 4 Bytes [A8, D2, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessTokenEx + B 777D5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThread + 6 777D5E4E 4 Bytes [68, D1, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThread + B 777D5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadToken + 6 777D5E5E 4 Bytes [68, D2, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadToken + B 777D5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadTokenEx + B 777D5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryAttributesFile + 6 777D5F7E 4 Bytes [A8, D0, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryAttributesFile + B 777D5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryFullAttributesFile + B 777D6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationFile + 6 777D667E 4 Bytes [28, D1, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationFile + B 777D6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationThread + 6 777D66DE 4 Bytes [28, D2, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationThread + B 777D66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + 6 777D69FE 4 Bytes [68, D3, 60, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + B 777D6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!LdrUnloadDll 777EC8DE 5 Bytes JMP 006C03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!LdrLoadDll 777F22AE 5 Bytes JMP 006C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3044] KERNEL32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3180] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3216] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3240] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[3292] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text ... .text C:\Program Files\Internet Explorer\iexplore.exe[4488] ntdll.dll!LdrUnloadDll 777EC8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Internet Explorer\iexplore.exe[4488] ntdll.dll!LdrLoadDll 777F22AE 5 Bytes JMP 000E01F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4488] KERNEL32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4996] ntdll.dll!LdrUnloadDll 777EC8DE 5 Bytes JMP 000703FC .text C:\Program Files\Internet Explorer\iexplore.exe[4996] ntdll.dll!LdrLoadDll 777F22AE 5 Bytes JMP 000701F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4996] KERNEL32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4996] shell32.DLL!RealDriveType + 173D 762DFD70 4 Bytes [BD, CB, D7, 66] .text C:\Program Files\Internet Explorer\iexplore.exe[4996] shell32.DLL!RealDriveType + 1745 762DFD78 8 Bytes [3C, 50, D6, 66, 28, CC, D7, ...] .text C:\Users\Jacek\Downloads\5xpei5o7.exe[5352] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\Macromed\Flash\FlashUtil32_17_0_0_188_ActiveX.exe[5500] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5556] kernel32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtCreateFile + 6 777D560E 4 Bytes [28, 78, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtCreateFile + B 777D5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtMapViewOfSection + 6 777D5C6E 4 Bytes [28, 7B, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtMapViewOfSection + B 777D5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenFile + 6 777D5D1E 4 Bytes [68, 78, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenFile + B 777D5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenProcess + 6 777D5DCE 4 Bytes [A8, 79, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenProcess + B 777D5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenProcessToken + B 777D5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenProcessTokenEx + 6 777D5DEE 4 Bytes [A8, 7A, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenProcessTokenEx + B 777D5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenThread + 6 777D5E4E 4 Bytes [68, 79, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenThread + B 777D5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenThreadToken + 6 777D5E5E 4 Bytes [68, 7A, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenThreadToken + B 777D5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtOpenThreadTokenEx + B 777D5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtQueryAttributesFile + 6 777D5F7E 4 Bytes [A8, 78, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtQueryAttributesFile + B 777D5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtQueryFullAttributesFile + B 777D6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtSetInformationFile + 6 777D667E 4 Bytes [28, 79, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtSetInformationFile + B 777D6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtSetInformationThread + 6 777D66DE 4 Bytes [28, 7A, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtSetInformationThread + B 777D66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtUnmapViewOfSection + 6 777D69FE 4 Bytes [68, 7B, F6, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!NtUnmapViewOfSection + B 777D6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!LdrUnloadDll 777EC8DE 5 Bytes JMP 011903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] ntdll.dll!LdrLoadDll 777F22AE 5 Bytes JMP 011901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5880] KERNEL32.dll!GetBinaryTypeW + 70 77106AAC 1 Byte [62] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2142848797-1288730675-1259261558-1001@RefCount 2 ---- Files - GMER 2.1 ---- File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 28672 bytes File C:\FRST\Hives\default 262144 bytes File C:\FRST\Hives\ERDNT.CON 800 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 836 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\sam 65536 bytes File C:\FRST\Hives\security 24576 bytes File C:\FRST\Hives\software 49582080 bytes File C:\FRST\Hives\system 17793024 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\ntuser.dat 2965504 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 3158016 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Quarantine 0 bytes File C:\FRST\users00 93 bytes ---- EOF - GMER 2.1 ----