GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-09-08 13:01:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: jhnmqgsg.exe; Driver: C:\Users\Stefan\AppData\Local\Temp\uxdcrpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1688] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d91bb0 12 bytes JMP 0000000136d80178 .text C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe[2800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe[2800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\UCBrowser\Application\UCService.exe[3160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\UCBrowser\Application\UCService.exe[3160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.exe[5492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.exe[5492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000766c1465 2 bytes [6C, 76] .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766c14bb 2 bytes [6C, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ee1590 14 bytes {MOV RAX, 0x7fef6b830f0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4688] C:\Windows\system32\WS2_32.dll!getaddrinfo 000007fefe012720 5 bytes JMP 000007fff77cce64 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ee13e0 7 bytes [48, B8, 68, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ee13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ee1550 7 bytes [48, B8, C0, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ee1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 7 bytes [48, B8, 3C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ee1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ee1580 7 bytes [48, B8, 3C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ee1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ee1590 7 bytes [48, B8, 48, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ee1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ee15b0 7 bytes [48, B8, 8C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ee15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ee1600 7 bytes [48, B8, E4, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ee1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ee1610 7 bytes [48, B8, 78, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ee1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ee1640 7 bytes [48, B8, CC, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ee1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ee16e0 7 bytes [48, B8, 14, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ee16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ee1860 7 bytes [48, B8, 90, F1, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ee1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ee22d0 7 bytes [48, B8, 60, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ee22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 7 bytes [48, B8, 9C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ee2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ee2470 7 bytes [48, B8, 28, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ee2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5844] C:\Windows\system32\WS2_32.dll!getaddrinfo 000007fefe012720 5 bytes JMP 000007fff77cce64 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ee13e0 7 bytes [48, B8, 68, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ee13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ee1550 7 bytes [48, B8, C0, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ee1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 7 bytes [48, B8, 3C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ee1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ee1580 7 bytes [48, B8, 3C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ee1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ee1590 7 bytes [48, B8, 48, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ee1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ee15b0 7 bytes [48, B8, 8C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ee15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ee1600 7 bytes [48, B8, E4, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ee1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ee1610 7 bytes [48, B8, 78, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ee1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ee1640 7 bytes [48, B8, CC, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ee1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ee16e0 7 bytes [48, B8, 14, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ee16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ee1860 7 bytes [48, B8, 90, F1, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ee1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ee22d0 7 bytes [48, B8, 60, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ee22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 7 bytes [48, B8, 9C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ee2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ee2470 7 bytes [48, B8, 28, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ee2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ee13e0 7 bytes [48, B8, 68, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ee13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ee1550 7 bytes [48, B8, C0, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ee1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 7 bytes [48, B8, 3C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ee1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ee1580 7 bytes [48, B8, 3C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ee1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ee1590 7 bytes [48, B8, 48, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ee1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ee15b0 7 bytes [48, B8, 8C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ee15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ee1600 7 bytes [48, B8, E4, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ee1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ee1610 7 bytes [48, B8, 78, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ee1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ee1640 7 bytes [48, B8, CC, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ee1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ee16e0 7 bytes [48, B8, 14, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ee16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ee1860 7 bytes [48, B8, 90, F1, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ee1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ee22d0 7 bytes [48, B8, 60, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ee22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 7 bytes [48, B8, 9C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ee2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ee2470 7 bytes [48, B8, 28, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ee2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ee13e0 7 bytes [48, B8, 68, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ee13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ee1550 7 bytes [48, B8, C0, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ee1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 7 bytes [48, B8, 3C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ee1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ee1580 7 bytes [48, B8, 3C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ee1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ee1590 7 bytes [48, B8, 48, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ee1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ee15b0 7 bytes [48, B8, 8C, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ee15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ee1600 7 bytes [48, B8, E4, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ee1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ee1610 7 bytes [48, B8, 78, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ee1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ee1640 7 bytes [48, B8, CC, F2, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ee1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ee16e0 7 bytes [48, B8, 14, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ee16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ee1860 7 bytes [48, B8, 90, F1, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ee1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ee22d0 7 bytes [48, B8, 60, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ee22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 7 bytes [48, B8, 9C, F3, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ee2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ee2470 7 bytes [48, B8, 28, F4, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ee2478 6 bytes {ADD [RAX], AL; JMP RAX} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feddbc5fc4] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feddbc6868] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feddbc6ca4] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feddbc6880] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5360] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feddbc6860] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feddbc5fc4] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feddbc6868] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feddbc6ca4] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feddbc6880] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feddbc6860] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feddbc5fc4] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feddbc6868] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7feddbc6ca4] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7feddbc6880] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7feddbc6860] C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3916] @ C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\PepperFlash\23.0.0.162\pepflashplayer.dll[KERNEL32.dll!CreateNamedPipeW] [b6d7002c] ---- Processes - GMER 2.1 ---- Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Windows\system32\Dwm.exe [1664](2016-08-11 13:04:40) 000007fef77c0000 Library C:\Users\Stefan\AppData\Local\MEGAsync\ShellExtX64.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1688](2014-05-01 14:13:20) 000007fef9630000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1688](2016-08-11 13:04:40) 000007fef77c0000 Process C:\Program Files (x86)\SOEasy.3\SSoEasyySvc3.exe (*** suspicious ***) @ C:\Program Files (x86)\SOEasy.3\SSoEasyySvc3.exe [2064](2016- 0000000000930000 Process C:\Program Files (x86)\SOEasy.4\SSoEasyySvc4.exe (*** suspicious ***) @ C:\Program Files (x86)\SOEasy.4\SSoEasyySvc4.exe [2088](2016- 00000000008f0000 Process C:\Program Files (x86)\SOEasy.5\SSoEasyySvc5.exe (*** suspicious ***) @ C:\Program Files (x86)\SOEasy.5\SSoEasyySvc5.exe [2112](2016- 0000000001100000 Process C:\Program Files (x86)\SOEasy.6\SSoEasyySvc6.exe (*** suspicious ***) @ C:\Program Files (x86)\SOEasy.6\SSoEasyySvc6.exe [2140](2016- 0000000000a40000 Process C:\Users\Stefan\AppData\Roaming\Geunfy\Geunfy.exe (*** suspicious ***) @ C:\Users\Stefan\AppData\Roaming\Geunfy\Geunfy.exe [2992](2 0000000000ff0000 Process C:\Users\Stefan\AppData\Local\Apps\2.0\abril.exe (*** suspicious ***) @ C:\Users\Stefan\AppData\Local\Apps\2.0\abril.exe [2208](2016- 0000000000a40000 Process D:\Program Files\MS.Default\Helper.3\Helper33.exe (*** suspicious ***) @ D:\Program Files\MS.Default\Helper.3\Helper33.exe [3344](2 0000000000a10000 Process D:\Program Files\MS.Default\Helper.4\Helper44.exe (*** suspicious ***) @ D:\Program Files\MS.Default\Helper.4\Helper44.exe [3376](2 00000000002d0000 Process D:\Program Files\MS.Default\Helper.5\Helper55.exe (*** suspicious ***) @ D:\Program Files\MS.Default\Helper.5\Helper55.exe [3412](2 0000000000030000 Process D:\Program Files\MS.Default\Helper.6\Helper66.exe (*** suspicious ***) @ D:\Program Files\MS.Default\Helper.6\Helper66.exe [3444](2 0000000000b50000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Windows\system32\wbem\unsecapp.exe [3988](2016-08-11 13:04:40 000007fef77c0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Windows\System32\hkcmd.exe [4924](2016-08-11 13:04:40) 000007fef77c0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [5228](2016-08-11 13:04:12) 00000000704c0000 Process C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.exe (*** suspicious ***) @ C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.exe [5492](2016-08-11 13:04:00) 0000000000eb0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.dll (*** suspicious ***) @ C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.exe [5492](2016-08-11 13:04:12) 00000000704c0000 Process C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.exe (*** suspicious ***) @ C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.exe [2336](2016-08-11 13:04:38) 000000013f9d0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.exe [2336](2016-08-11 13:04:40) 000007fef77c0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.dll (*** suspicious ***) @ C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe [4588](2016-08-11 13:04:12) 00000000704c0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.dll (*** suspicious ***) @ C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe [2516](2016-08-11 13:04:12) 00000000704c0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4688](2016-08-11 13:04:40) 000007fef77c0000 Library C:\Users\Stefan\AppData\Local\MEGAsync\ShellExtX64.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4688](2014-05-01 14:13:20) 000007fef9630000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [5844](2016-08-11 13:04:40) 000007fef77c0000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yurejjaeb.dll (*** suspicious ***) @ C:\Program Files\¿ìѹ\X86\KuaiZip.exe [6588](2016-08-11 13:04:12 00000000704c0000 Library C:\Users\Stefan\AppData\Local\MEGAsync\ShellExtX32.dll (*** suspicious ***) @ C:\Program Files\¿ìѹ\X86\KuaiZip.exe [6588](2014-05-01 14:1 0000000074240000 Library C:\Users\Stefan\AppData\Roaming\Geunfy\Yjetipudl.dll (*** suspicious ***) @ C:\Windows\system32\DllHost.exe [904](2016-08-11 13:04:40) 000007fef77c0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????????????? ?????????????????????0????????????&???????????????????????? ?????????????????????0????????????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0??????????????????????????????????????????????????????????07?????o?????????????????s:\??disk?b??}???????????????????????????????????????????\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys???? ???????????????????????????? ?????????????????????? ???????,????????????????????????\U????????????Up??? ??????????????????????????????N??e????Usx?{8ECC055D-047F-11D1-A537-0000F8753ED1}???4 ?????????????????????????? ?????????????sSA????:??????e????????"??????t??69??eee8f6b9-2ad1-48f2-a82f-0978f2c??????.?/?~?~???????~?????????????.??@battery.inf,%acpi\acpi0003.devicedesc%;Zasilacz Microsoft??????@cpu.inf,%intelppm.devicedesc%;Procesor Intel???Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz????@cpu.inf,%intelppm.devicedesc%;Procesor Intel????/?3?7? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289ddf2fb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289ddf2fb@cc07ab35d687 0x41 0xDF 0xBD 0x21 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289ddf2fb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289ddf2fb@cc07ab35d687 0x41 0xDF 0xBD 0x21 ... ---- EOF - GMER 2.1 ----