GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-27 21:06:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS545032B9A300 rev.PB3OC60F 298,09GB Running: gz1slzyk.exe; Driver: C:\Users\booniek\AppData\Local\Temp\pwdiipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075341465 2 bytes [34, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753414bb 2 bytes [34, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000778cf9a1 7 bytes {MOV EDX, 0xcb9228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000778cfbe5 7 bytes {MOV EDX, 0xcb9268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000778cfc15 7 bytes {MOV EDX, 0xcb91a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000778cfc2d 7 bytes {MOV EDX, 0xcb9128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000778cfc45 7 bytes {MOV EDX, 0xcb9328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000778cfc75 7 bytes {MOV EDX, 0xcb9368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000778cfcf5 7 bytes {MOV EDX, 0xcb92e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000778cfd0d 7 bytes {MOV EDX, 0xcb92a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000778cfd59 7 bytes {MOV EDX, 0xcb9068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000778cfe51 7 bytes {MOV EDX, 0xcb90a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000778d00a9 7 bytes {MOV EDX, 0xcb9028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778d10b5 7 bytes {MOV EDX, 0xcb91e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778d112d 7 bytes {MOV EDX, 0xcb9168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778d1331 7 bytes {MOV EDX, 0xcb90e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075341465 2 bytes [34, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753414bb 2 bytes [34, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000778cf9a1 7 bytes {MOV EDX, 0xd7aa28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000778cfbe5 7 bytes {MOV EDX, 0xd7aa68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000778cfc15 7 bytes {MOV EDX, 0xd7a9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000778cfc2d 7 bytes {MOV EDX, 0xd7a928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000778cfc45 7 bytes {MOV EDX, 0xd7ab28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000778cfc75 7 bytes {MOV EDX, 0xd7ab68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000778cfcf5 7 bytes {MOV EDX, 0xd7aae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000778cfd0d 7 bytes {MOV EDX, 0xd7aaa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000778cfd59 7 bytes {MOV EDX, 0xd7a868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000778cfe51 7 bytes {MOV EDX, 0xd7a8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000778d00a9 7 bytes {MOV EDX, 0xd7a828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778d10b5 7 bytes {MOV EDX, 0xd7a9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778d112d 7 bytes {MOV EDX, 0xd7a968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778d1331 7 bytes {MOV EDX, 0xd7a8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075341465 2 bytes [34, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753414bb 2 bytes [34, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000778cf9a1 7 bytes {MOV EDX, 0xc54628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000778cfbe5 7 bytes {MOV EDX, 0xc54668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000778cfc15 7 bytes {MOV EDX, 0xc545a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000778cfc2d 7 bytes {MOV EDX, 0xc54528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000778cfc45 7 bytes {MOV EDX, 0xc54728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000778cfc75 7 bytes {MOV EDX, 0xc54768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000778cfcf5 7 bytes {MOV EDX, 0xc546e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000778cfd0d 7 bytes {MOV EDX, 0xc546a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000778cfd59 7 bytes {MOV EDX, 0xc54468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000778cfe51 7 bytes {MOV EDX, 0xc544a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000778d00a9 7 bytes {MOV EDX, 0xc54428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778d10b5 7 bytes {MOV EDX, 0xc545e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778d112d 7 bytes {MOV EDX, 0xc54568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778d1331 7 bytes {MOV EDX, 0xc544e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075341465 2 bytes [34, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753414bb 2 bytes [34, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000778cf9a1 7 bytes {MOV EDX, 0xddda28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000778cfbe5 7 bytes {MOV EDX, 0xddda68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000778cfc15 7 bytes {MOV EDX, 0xddd9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000778cfc2d 7 bytes {MOV EDX, 0xddd928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000778cfc45 7 bytes {MOV EDX, 0xdddb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000778cfc75 7 bytes {MOV EDX, 0xdddb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000778cfcf5 7 bytes {MOV EDX, 0xdddae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000778cfd0d 7 bytes {MOV EDX, 0xdddaa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000778cfd59 7 bytes {MOV EDX, 0xddd868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000778cfe51 7 bytes {MOV EDX, 0xddd8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000778d00a9 7 bytes {MOV EDX, 0xddd828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778d10b5 7 bytes {MOV EDX, 0xddd9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778d112d 7 bytes {MOV EDX, 0xddd968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778d1331 7 bytes {MOV EDX, 0xddd8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075341465 2 bytes [34, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753414bb 2 bytes [34, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [820:3940] 000007fef4696b8c Thread C:\Windows\System32\svchost.exe [820:3944] 000007fef4691d88 Thread C:\Windows\System32\svchost.exe [868:320] 000007fefb3f59a0 Thread C:\Windows\System32\svchost.exe [868:1556] 000007fefd5d1a70 Thread C:\Windows\System32\svchost.exe [868:1824] 000007fef90020c0 Thread C:\Windows\System32\svchost.exe [868:1828] 000007fef90026a8 Thread C:\Windows\System32\svchost.exe [868:1496] 000007fef9ec44e0 Thread C:\Windows\System32\svchost.exe [868:2172] 000007fefa3a88f8 Thread C:\Windows\System32\svchost.exe [868:1788] 000007fef90029dc Thread C:\Windows\system32\svchost.exe [896:2680] 000007fef51884d8 Thread C:\Windows\system32\svchost.exe [896:2704] 000007fef51423a8 Thread C:\Windows\system32\svchost.exe [896:2712] 000007fef51c0d00 Thread C:\Windows\system32\svchost.exe [896:2716] 000007fef5099498 Thread C:\Windows\system32\svchost.exe [896:3160] 000007fef48a506c Thread C:\Windows\system32\svchost.exe [896:3168] 000007fef8d31c20 Thread C:\Windows\system32\svchost.exe [896:3164] 000007fef8d31c20 Thread C:\Windows\system32\svchost.exe [896:2268] 000007fef9171ab0 Thread C:\Windows\system32\svchost.exe [896:2812] 000007fef9194164 Thread C:\Windows\system32\svchost.exe [200:1800] 000007fef95c0ea8 Thread C:\Windows\system32\svchost.exe [200:1836] 000007fef95b9db0 Thread C:\Windows\system32\svchost.exe [200:1888] 000007fef95baa10 Thread C:\Windows\system32\svchost.exe [200:1912] 000007fef95c1c94 Thread C:\Windows\system32\svchost.exe [200:2844] 000007fef58cd3c8 Thread C:\Windows\system32\svchost.exe [200:2848] 000007fef58cd3c8 Thread C:\Windows\system32\svchost.exe [200:2852] 000007fef58cd3c8 Thread C:\Windows\system32\svchost.exe [200:2856] 000007fef58cd3c8 Thread C:\Windows\system32\svchost.exe [588:2140] 000007fef3df5170 Thread C:\Windows\System32\spoolsv.exe [1148:936] 000007fef7a210c8 Thread C:\Windows\System32\spoolsv.exe [1148:2060] 000007fef8206144 Thread C:\Windows\System32\spoolsv.exe [1148:2064] 000007fef9e45fd0 Thread C:\Windows\System32\spoolsv.exe [1148:2088] 000007fef81e3438 Thread C:\Windows\System32\spoolsv.exe [1148:2092] 000007fef9e463ec Thread C:\Windows\System32\spoolsv.exe [1148:2104] 000007fef8b05e5c Thread C:\Windows\System32\spoolsv.exe [1148:2108] 000007fef8445090 Thread C:\Windows\system32\svchost.exe [1224:1248] 000007fefd5d1a70 Thread C:\Windows\system32\svchost.exe [1224:1256] 000007fefd5d1a70 Thread C:\Windows\system32\svchost.exe [1224:1452] 000007fefa4b35c0 Thread C:\Windows\system32\svchost.exe [1224:1456] 000007fefa4b5600 Thread C:\Windows\system32\svchost.exe [1224:1880] 000007fef8e12940 Thread C:\Windows\system32\svchost.exe [1224:2136] 000007fef8162888 Thread C:\Windows\system32\svchost.exe [1224:3816] 000007fef8162a40 Thread C:\Windows\system32\taskhost.exe [1100:1944] 000007fef8b42740 Thread C:\Windows\system32\taskhost.exe [1100:1932] 000007fef8b11f38 Thread C:\Windows\system32\taskhost.exe [1100:1272] 000007fefbc81010 Thread C:\Windows\system32\taskhost.exe [1100:2056] 000007feff8e9274 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2884:2316] 000007fefc142ab8 Thread C:\Windows\System32\svchost.exe [3808:4016] 000007fef2e09688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{58174616-8CA2-44AD-9081-D9E4FD3E982D}\Connection@Name isatap.{54824EE0-F076-4175-B0AE-C4E247EE5234} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{F218B6C8-2567-4BA8-AD3F-4FA1DFA41BAA}?\Device\{99628081-A241-437A-87B8-BB9BBEAD2548}?\Device\{6337CB9D-B002-4BB5-BD55-4F0E057E70C9}??Device\{6337CB9D-B002-4BB5-BD55-4F0E057E70C9}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{F218B6C8-2567-4BA8-AD3F-4FA1DFA41BAA}"?"{99628081-A241-437A-87B8-BB9BBEAD2548}"?"{6337CB9D-B002-4BB5-BD55-4F0E057E70C9}"??{6337CB9D-B002-4BB5-BD55-4F0E057E70C9}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{F218B6C8-2567-4BA8-AD3F-4FA1DFA41BAA}?\Device\TCPIP6TUNNEL_{99628081-A241-437A-87B8-BB9BBEAD2548}?\Device\TCPIP6TUNNEL_{6337CB9D-B002-4BB5-BD55-4F0E057E70C9}??Device\TCPIP6TUNNEL_{6337CB9D-B002-4BB5-BD55-4F0E057E70C9}? Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters@DhcpNameServer 10.100.100.1 10.100.100.253 ---- EOF - GMER 2.1 ----