GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-04-02 20:40:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD3200AVJS-63WDA0 rev.12.01B02 298,09GB Running: p3npxyvx.exe; Driver: C:\Users\dom\AppData\Local\Temp\uwldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1512] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076db8799 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\system32\hasplms.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Windows\system32\hasplms.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073731a22 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073731ad0 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073731b08 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073731bba 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073731bda 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Windows\SysWOW64\lkcitdl.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073731a22 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073731ad0 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073731b08 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073731bba 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073731bda 2 bytes [73, 73] .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Windows\SysWOW64\lkads.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073731a22 2 bytes [73, 73] .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073731ad0 2 bytes [73, 73] .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073731b08 2 bytes [73, 73] .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073731bba 2 bytes [73, 73] .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073731bda 2 bytes [73, 73] .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Windows\SysWOW64\lktsrv.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2744] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2744] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text D:\Siemens NX8\UGS\UGSLicensing\lmgrd.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text D:\Siemens NX8\UGS\UGSLicensing\lmgrd.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text D:\Siemens NX8\UGS\UGSLicensing\ugslmd.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text D:\Siemens NX8\UGS\UGSLicensing\ugslmd.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4380] entry point in ".rdata" section 000000006fe871e6 .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007775f9a1 7 bytes {MOV EDX, 0xbee228; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007775fbe5 7 bytes {MOV EDX, 0xbee268; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007775fc15 7 bytes {MOV EDX, 0xbee1a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007775fc2d 7 bytes {MOV EDX, 0xbee128; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007775fc45 7 bytes {MOV EDX, 0xbee328; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007775fc75 7 bytes {MOV EDX, 0xbee368; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007775fcf5 7 bytes {MOV EDX, 0xbee2e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007775fd0d 7 bytes {MOV EDX, 0xbee2a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007775fd59 7 bytes {MOV EDX, 0xbee068; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007775fe51 7 bytes {MOV EDX, 0xbee0a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777600a9 7 bytes {MOV EDX, 0xbee028; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777610b5 7 bytes {MOV EDX, 0xbee1e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007776112d 7 bytes {MOV EDX, 0xbee168; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077761331 7 bytes {MOV EDX, 0xbee0e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007775f9a1 7 bytes {MOV EDX, 0x7a6228; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007775fbe5 7 bytes {MOV EDX, 0x7a6268; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007775fc15 7 bytes {MOV EDX, 0x7a61a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007775fc2d 7 bytes {MOV EDX, 0x7a6128; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007775fc45 7 bytes {MOV EDX, 0x7a6328; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007775fc75 7 bytes {MOV EDX, 0x7a6368; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007775fcf5 7 bytes {MOV EDX, 0x7a62e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007775fd0d 7 bytes {MOV EDX, 0x7a62a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007775fd59 7 bytes {MOV EDX, 0x7a6068; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007775fe51 7 bytes {MOV EDX, 0x7a60a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777600a9 7 bytes {MOV EDX, 0x7a6028; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777610b5 7 bytes {MOV EDX, 0x7a61e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007776112d 7 bytes {MOV EDX, 0x7a6168; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077761331 7 bytes {MOV EDX, 0x7a60e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007775f9a1 7 bytes {MOV EDX, 0x44e228; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007775fbe5 7 bytes {MOV EDX, 0x44e268; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007775fc15 7 bytes {MOV EDX, 0x44e1a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007775fc2d 7 bytes {MOV EDX, 0x44e128; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007775fc45 7 bytes {MOV EDX, 0x44e328; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007775fc75 7 bytes {MOV EDX, 0x44e368; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007775fcf5 7 bytes {MOV EDX, 0x44e2e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007775fd0d 7 bytes {MOV EDX, 0x44e2a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007775fd59 7 bytes {MOV EDX, 0x44e068; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007775fe51 7 bytes {MOV EDX, 0x44e0a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777600a9 7 bytes {MOV EDX, 0x44e028; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777610b5 7 bytes {MOV EDX, 0x44e1e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007776112d 7 bytes {MOV EDX, 0x44e168; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077761331 7 bytes {MOV EDX, 0x44e0e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007775f9a1 7 bytes {MOV EDX, 0xd9f228; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007775fbe5 7 bytes {MOV EDX, 0xd9f268; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007775fc15 7 bytes {MOV EDX, 0xd9f1a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007775fc2d 7 bytes {MOV EDX, 0xd9f128; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007775fc45 7 bytes {MOV EDX, 0xd9f328; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007775fc75 7 bytes {MOV EDX, 0xd9f368; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007775fcf5 7 bytes {MOV EDX, 0xd9f2e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007775fd0d 7 bytes {MOV EDX, 0xd9f2a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007775fd59 7 bytes {MOV EDX, 0xd9f068; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007775fe51 7 bytes {MOV EDX, 0xd9f0a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777600a9 7 bytes {MOV EDX, 0xd9f028; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777610b5 7 bytes {MOV EDX, 0xd9f1e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007776112d 7 bytes {MOV EDX, 0xd9f168; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077761331 7 bytes {MOV EDX, 0xd9f0e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[5076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007775f9a1 7 bytes {MOV EDX, 0xcc1a28; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007775fbe5 7 bytes {MOV EDX, 0xcc1a68; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007775fc15 7 bytes {MOV EDX, 0xcc19a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007775fc2d 7 bytes {MOV EDX, 0xcc1928; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007775fc45 7 bytes {MOV EDX, 0xcc1b28; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007775fc75 7 bytes {MOV EDX, 0xcc1b68; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007775fcf5 7 bytes {MOV EDX, 0xcc1ae8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007775fd0d 7 bytes {MOV EDX, 0xcc1aa8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007775fd59 7 bytes {MOV EDX, 0xcc1868; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007775fe51 7 bytes {MOV EDX, 0xcc18a8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777600a9 7 bytes {MOV EDX, 0xcc1828; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777610b5 7 bytes {MOV EDX, 0xcc19e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007776112d 7 bytes {MOV EDX, 0xcc1968; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077761331 7 bytes {MOV EDX, 0xcc18e8; JMP RDX} .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Users\dom\AppData\Local\Google\Chrome\Application\chrome.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fefb02741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fefb025f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fefb025674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fefb025e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fefb027f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fefb026a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fefb026ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fefb027b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fefb027ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fefb0278b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fefb024fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fefb025d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2988] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fefb027584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2664] 0000000077786679 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2676] 00000000777841f3 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2752] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2760] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2764] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2768] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2772] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2796] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2800] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2828] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2832] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2864] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3016] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3020] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3024] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2420] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2404] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2400] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2392] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2380] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:2212] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3028] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3148] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3152] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3156] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3160] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3164] 0000000077786679 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3176] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3188] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3228] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3232] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3236] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3240] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:3968] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4104] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4108] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4364] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4368] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4372] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4376] 00000000739c29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2656:4652] 00000000777a14f1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x26 0xE1 0xD3 0x98 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x26 0xE1 0xD3 0x98 ... ---- EOF - GMER 2.1 ----