GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-10 08:02:07 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\00000028 Hitachi_HTS543225L9SA00 rev.FBEOC43C 232,89GB Running: dygwmkfr.exe; Driver: C:\Users\SLIMOS~1\AppData\Local\Temp\pwldqpog.sys ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1549 8193D65D 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 602 81941DE2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\WINDOWS\system32\DRIVERS\atikmdag.sys section is writeable [0x91A31000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 4 Bytes [BA, 68, 87, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtUnmapViewOfSection + A 77E8FDFA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtSetInformationThread + 5 77E904C5 4 Bytes [BA, 28, 86, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtSetInformationThread + A 77E904CA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtSetInformationFile + 5 77E90585 4 Bytes [BA, 28, 85, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtSetInformationFile + A 77E9058A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 4 Bytes CALL 76EA0B3E C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtQueryFullAttributesFile + A 77E912BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtQueryAttributesFile + 5 77E91415 4 Bytes [BA, A8, 84, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtQueryAttributesFile + A 77E9141A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 4 Bytes CALL 76EA0EE0 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenThreadTokenEx + A 77E9165A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenThreadToken + 5 77E91675 4 Bytes [BA, 68, 86, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenThreadToken + A 77E9167A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenThread + 5 77E91695 4 Bytes [BA, 68, 85, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenThread + A 77E9169A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 4 Bytes [BA, A8, 86, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenProcessTokenEx + A 77E9177A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenProcessToken + 5 77E91795 4 Bytes CALL 76EA101F C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenProcessToken + A 77E9179A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenProcess + 5 77E917B5 4 Bytes [BA, A8, 85, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenProcess + A 77E917BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenFile + 5 77E91915 4 Bytes [BA, 68, 84, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtOpenFile + A 77E9191A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtMapViewOfSection + 5 77E91A95 4 Bytes [BA, 28, 87, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtMapViewOfSection + A 77E91A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtCreateFile + 5 77E928E5 4 Bytes [BA, 28, 84, F8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1852] ntdll.dll!NtCreateFile + A 77E928EA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 4 Bytes [BA, 68, B7, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtUnmapViewOfSection + A 77E8FDFA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtSetInformationThread + 5 77E904C5 4 Bytes [BA, 28, B6, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtSetInformationThread + A 77E904CA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtSetInformationFile + 5 77E90585 4 Bytes [BA, 28, B5, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtSetInformationFile + A 77E9058A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 4 Bytes CALL 76E9CB6E C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtQueryFullAttributesFile + A 77E912BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtQueryAttributesFile + 5 77E91415 4 Bytes [BA, A8, B4, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtQueryAttributesFile + A 77E9141A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 4 Bytes CALL 76E9CF10 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenThreadTokenEx + A 77E9165A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenThreadToken + 5 77E91675 4 Bytes [BA, 68, B6, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenThreadToken + A 77E9167A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenThread + 5 77E91695 4 Bytes [BA, 68, B5, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenThread + A 77E9169A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 4 Bytes [BA, A8, B6, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenProcessTokenEx + A 77E9177A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenProcessToken + 5 77E91795 4 Bytes CALL 76E9D04F C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenProcessToken + A 77E9179A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenProcess + 5 77E917B5 4 Bytes [BA, A8, B5, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenProcess + A 77E917BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenFile + 5 77E91915 4 Bytes [BA, 68, B4, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtOpenFile + A 77E9191A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtMapViewOfSection + 5 77E91A95 4 Bytes [BA, 28, B7, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtMapViewOfSection + A 77E91A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtCreateFile + 5 77E928E5 4 Bytes [BA, 28, B4, B8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2216] ntdll.dll!NtCreateFile + A 77E928EA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3660] ntdll.dll!NtMapViewOfSection + 5 77E91A95 7 Bytes [BA, 18, 40, BA, 70, FF, E2] {MOV EDX, 0x70ba4018; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 7 Bytes [BA, 68, B7, 30, 01, FF, E2] {MOV EDX, 0x130b768; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtSetInformationThread + 5 77E904C5 7 Bytes [BA, 28, B6, 30, 01, FF, E2] {MOV EDX, 0x130b628; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtSetInformationFile + 5 77E90585 7 Bytes [BA, 28, B5, 30, 01, FF, E2] {MOV EDX, 0x130b528; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 7 Bytes CALL 76EA436E C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtQueryAttributesFile + 5 77E91415 7 Bytes [BA, A8, B4, 30, 01, FF, E2] {MOV EDX, 0x130b4a8; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 7 Bytes CALL 76EA4710 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenThreadToken + 5 77E91675 7 Bytes [BA, 68, B6, 30, 01, FF, E2] {MOV EDX, 0x130b668; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenThread + 5 77E91695 7 Bytes [BA, 68, B5, 30, 01, FF, E2] {MOV EDX, 0x130b568; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 7 Bytes [BA, A8, B6, 30, 01, FF, E2] {MOV EDX, 0x130b6a8; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenProcessToken + 5 77E91795 7 Bytes CALL 76EA484F C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenProcess + 5 77E917B5 7 Bytes [BA, A8, B5, 30, 01, FF, E2] {MOV EDX, 0x130b5a8; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtOpenFile + 5 77E91915 7 Bytes [BA, 68, B4, 30, 01, FF, E2] {MOV EDX, 0x130b468; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtMapViewOfSection + 5 77E91A95 7 Bytes [BA, 28, B7, 30, 01, FF, E2] {MOV EDX, 0x130b728; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4640] ntdll.dll!NtCreateFile + 5 77E928E5 7 Bytes [BA, 28, B4, 30, 01, FF, E2] {MOV EDX, 0x130b428; JMP EDX} .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] ntdll.dll!LdrLoadDll 77E42010 5 Bytes JMP 6DC27940 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] KERNEL32.DLL!GetCurrentProcess + B 772249BB 7 Bytes JMP 1017EA1A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] KERNEL32.DLL!CreateFileMappingW + 1B 77227CCB 7 Bytes JMP 1017DBE7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] KERNEL32.DLL!FlsAlloc + 1B 7722956B 7 Bytes JMP 0FEC1B09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] USER32.dll!CallMsgFilterW + 95B 7764189B 7 Bytes JMP 10DA4840 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] USER32.dll!CreateWindowExA 7764A050 5 Bytes JMP 10302730 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] USER32.dll!CreateWindowExW 7764B880 5 Bytes JMP 0FE746B4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6324] GDI32.dll!MoveToEx + 3B 77145A5B 7 Bytes JMP 1017D4F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 4 Bytes [BA, 68, DF, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtUnmapViewOfSection + A 77E8FDFA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtSetInformationThread + 5 77E904C5 4 Bytes [BA, 28, DE, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtSetInformationThread + A 77E904CA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtSetInformationFile + 5 77E90585 4 Bytes [BA, 28, DD, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtSetInformationFile + A 77E9058A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 4 Bytes CALL 76E9C496 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtQueryFullAttributesFile + A 77E912BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtQueryAttributesFile + 5 77E91415 4 Bytes [BA, A8, DC, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtQueryAttributesFile + A 77E9141A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 4 Bytes CALL 76E9C838 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenThreadTokenEx + A 77E9165A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenThreadToken + 5 77E91675 4 Bytes [BA, 68, DE, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenThreadToken + A 77E9167A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenThread + 5 77E91695 4 Bytes [BA, 68, DD, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenThread + A 77E9169A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 4 Bytes [BA, A8, DE, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenProcessTokenEx + A 77E9177A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenProcessToken + 5 77E91795 4 Bytes CALL 76E9C977 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenProcessToken + A 77E9179A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenProcess + 5 77E917B5 4 Bytes [BA, A8, DD, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenProcess + A 77E917BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenFile + 5 77E91915 4 Bytes [BA, 68, DC, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtOpenFile + A 77E9191A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtMapViewOfSection + 5 77E91A95 4 Bytes [BA, 28, DF, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtMapViewOfSection + A 77E91A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtCreateFile + 5 77E928E5 4 Bytes [BA, 28, DC, B1] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6516] ntdll.dll!NtCreateFile + A 77E928EA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 4 Bytes [BA, 68, 33, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtUnmapViewOfSection + A 77E8FDFA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtSetInformationThread + 5 77E904C5 4 Bytes [BA, 28, 32, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtSetInformationThread + A 77E904CA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtSetInformationFile + 5 77E90585 4 Bytes [BA, 28, 31, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtSetInformationFile + A 77E9058A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 4 Bytes CALL 76E9A8EA C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtQueryFullAttributesFile + A 77E912BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtQueryAttributesFile + 5 77E91415 4 Bytes [BA, A8, 30, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtQueryAttributesFile + A 77E9141A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 4 Bytes CALL 76E9AC8C C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenThreadTokenEx + A 77E9165A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenThreadToken + 5 77E91675 4 Bytes [BA, 68, 32, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenThreadToken + A 77E9167A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenThread + 5 77E91695 4 Bytes [BA, 68, 31, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenThread + A 77E9169A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 4 Bytes [BA, A8, 32, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenProcessTokenEx + A 77E9177A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenProcessToken + 5 77E91795 4 Bytes CALL 76E9ADCB C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenProcessToken + A 77E9179A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenProcess + 5 77E917B5 4 Bytes [BA, A8, 31, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenProcess + A 77E917BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenFile + 5 77E91915 4 Bytes [BA, 68, 30, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtOpenFile + A 77E9191A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtMapViewOfSection + 5 77E91A95 4 Bytes [BA, 28, 33, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtMapViewOfSection + A 77E91A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtCreateFile + 5 77E928E5 4 Bytes [BA, 28, 30, 96] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6592] ntdll.dll!NtCreateFile + A 77E928EA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 4 Bytes [BA, 68, D7, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtUnmapViewOfSection + A 77E8FDFA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtSetInformationThread + 5 77E904C5 4 Bytes [BA, 28, D6, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtSetInformationThread + A 77E904CA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtSetInformationFile + 5 77E90585 4 Bytes [BA, 28, D5, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtSetInformationFile + A 77E9058A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 4 Bytes CALL 76E96C8E C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtQueryFullAttributesFile + A 77E912BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtQueryAttributesFile + 5 77E91415 4 Bytes [BA, A8, D4, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtQueryAttributesFile + A 77E9141A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 4 Bytes CALL 76E97030 C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenThreadTokenEx + A 77E9165A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenThreadToken + 5 77E91675 4 Bytes [BA, 68, D6, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenThreadToken + A 77E9167A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenThread + 5 77E91695 4 Bytes [BA, 68, D5, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenThread + A 77E9169A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 4 Bytes [BA, A8, D6, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenProcessTokenEx + A 77E9177A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenProcessToken + 5 77E91795 4 Bytes CALL 76E9716F C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenProcessToken + A 77E9179A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenProcess + 5 77E917B5 4 Bytes [BA, A8, D5, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenProcess + A 77E917BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenFile + 5 77E91915 4 Bytes [BA, 68, D4, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtOpenFile + A 77E9191A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtMapViewOfSection + 5 77E91A95 4 Bytes [BA, 28, D7, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtMapViewOfSection + A 77E91A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtCreateFile + 5 77E928E5 4 Bytes [BA, 28, D4, 59] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7736] ntdll.dll!NtCreateFile + A 77E928EA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtUnmapViewOfSection + 5 77E8FDF5 4 Bytes [BA, 68, 03, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtUnmapViewOfSection + A 77E8FDFA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtSetInformationThread + 5 77E904C5 4 Bytes [BA, 28, 02, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtSetInformationThread + A 77E904CA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtSetInformationFile + 5 77E90585 4 Bytes [BA, 28, 01, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtSetInformationFile + A 77E9058A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtQueryFullAttributesFile + 5 77E912B5 2 Bytes [BA, E8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtQueryFullAttributesFile + 8 77E912B8 1 Byte [F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtQueryFullAttributesFile + 8 77E912B8 4 Bytes CALL 76EA02BD C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtQueryAttributesFile + 5 77E91415 2 Bytes [BA, A8] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtQueryAttributesFile + 8 77E91418 1 Byte [F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtQueryAttributesFile + 8 77E91418 4 Bytes [F0, 00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenThreadTokenEx + 5 77E91655 4 Bytes CALL 76EA065C C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenThreadTokenEx + A 77E9165A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenThreadToken + 5 77E91675 4 Bytes [BA, 68, 02, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenThreadToken + A 77E9167A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenThread + 5 77E91695 4 Bytes [BA, 68, 01, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenThread + A 77E9169A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenProcessTokenEx + 5 77E91775 4 Bytes [BA, A8, 02, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenProcessTokenEx + A 77E9177A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenProcessToken + 5 77E91795 4 Bytes CALL 76EA079B C:\WINDOWS\System32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenProcessToken + A 77E9179A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenProcess + 5 77E917B5 4 Bytes [BA, A8, 01, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenProcess + A 77E917BA 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenFile + 5 77E91915 2 Bytes [BA, 68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenFile + 8 77E91918 1 Byte [F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtOpenFile + 8 77E91918 4 Bytes [F0, 00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtMapViewOfSection + 5 77E91A95 4 Bytes [BA, 28, 03, F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtMapViewOfSection + A 77E91A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtCreateFile + 5 77E928E5 2 Bytes [BA, 28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtCreateFile + 8 77E928E8 1 Byte [F0] .text C:\Program Files\Google\Chrome\Application\chrome.exe[7776] ntdll.dll!NtCreateFile + 8 77E928E8 4 Bytes [F0, 00, FF, E2] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7996] ntdll.dll!LdrLoadDll 77E42010 5 Bytes JMP 6DC27940 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7996] KERNEL32.DLL!GetCurrentProcess + B 772249BB 7 Bytes JMP 1017EA1A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7996] KERNEL32.DLL!CreateFileMappingW + 1B 77227CCB 7 Bytes JMP 1017DBE7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7996] USER32.dll!CreateWindowExA 7764A050 5 Bytes JMP 10302730 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7996] USER32.dll!CreateWindowExW 7764B880 5 Bytes JMP 0FE746B4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7996] GDI32.dll!MoveToEx + 3B 77145A5B 7 Bytes JMP 1017D4F6 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 volume.sys AttachedDevice \FileSystem\fastfat \Fat FLTMGR.SYS ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ?????????????????????????r???3?????????f???????????????????????????????????????????????????????????f???????????f???????????f???????????f???f???f?????????????????????????????:?????????????????????????????????????????????????f???????????????????????????????????????????????f???????????????i???????m???????????????????????m???????????????????????m?????????????A?????????????????????????????m?????????????????????C?????????????????????????????????????????????????????????????????????m????%SystemRoot%\system32\AppReadiness.dll??????? ????????????????????????$????????? ???????e???? ????????????????????????????L?????????????????%SystemRoot%\system32\LogFiles\WMI\RtBackup\*.*?????????????????????????????????????????????????????????????????????????????????\System Volume Information\FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.*????????????????????\System Volume Information\FVE2.{c9ca54a3-6983-46b7-8684-a7e5e23499e3}??????????????????????\System Volume Information\FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -2120675925 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a93ff8e Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?pa? ?09 ?16, 12:22:32??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{168e87ed-733f-4da6-ac54-d7b32a66d29c}@LeaseObtainedTime 1476009780 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{168e87ed-733f-4da6-ac54-d7b32a66d29c}@T1 1476011580 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{168e87ed-733f-4da6-ac54-d7b32a66d29c}@T2 1476012930 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{168e87ed-733f-4da6-ac54-d7b32a66d29c}@LeaseTerminatesTime 1476013380 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x12 0xAE 0xB6 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x12 0x16 0x7B 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x12 0x46 0xF2 0x1B ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@6B815AD5 4 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 111 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{BDF83878-C92C-11E3-A9EB-806E6F6E6963} 12029133088 ---- Files - GMER 2.2 ---- File C:\Users\slimosolo\AppData\Local\Google\Chrome\User Data\Profile 1\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb\002356.ldb 1795755 bytes File C:\Users\slimosolo\AppData\Local\Google\Chrome\User Data\Profile 1\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb\002358.ldb 1795702 bytes File C:\Users\slimosolo\AppData\Local\Google\Chrome\User Data\Profile 1\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb\002360.ldb 1795702 bytes File C:\Users\slimosolo\AppData\Local\Google\Chrome\User Data\Profile 1\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb\002361.log 4653056 bytes File C:\Users\slimosolo\AppData\Local\Google\Chrome\User Data\Profile 1\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb\002362.ldb 1795461 bytes File C:\Users\slimosolo\AppData\Local\Google\Chrome\User Data\Profile 1\Local Extension Settings\gighmmpiobklfepjocnamgkkbiglidom\002440.log 4718592 bytes File C:\Users\slimosolo\AppData\Local\Mozilla\Firefox\Profiles\jcd4azud.default\cache2\entries\307FD04FC23504DB0AD7B9578C4F64BD10CA7831 1022 bytes File C:\Users\slimosolo\AppData\Local\Mozilla\Firefox\Profiles\jcd4azud.default\cache2\entries\60B1C599543584613E44910A7B5C15BDAE9E2AA2 3879 bytes File C:\Users\slimosolo\AppData\Local\Mozilla\Firefox\Profiles\jcd4azud.default\cache2\entries\59550DA6632D350310947D722AEEE54C32FD04EA 6834 bytes File C:\Users\slimosolo\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\0F1583FFF42FFF476A09801ACB69213F_D4C83E2943267C1763EC8ED5C0DDE848 1362 bytes File C:\Users\slimosolo\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\DE624068503F3B953A6EC67A0654E15F_5F28976025898342A6E88EAB289DAEFE 1415 bytes File C:\Users\slimosolo\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\0F1583FFF42FFF476A09801ACB69213F_D4C83E2943267C1763EC8ED5C0DDE848 358 bytes File C:\Users\slimosolo\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\DE624068503F3B953A6EC67A0654E15F_5F28976025898342A6E88EAB289DAEFE 406 bytes ---- EOF - GMER 2.2 ----