GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-21 12:04:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: zwbdoi11.exe; Driver: C:\Users\michal\AppData\Local\Temp\awrdrpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002ff5000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002ff502f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075681465 2 bytes [68, 75] .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756814bb 2 bytes [68, 75] .text ... * 2 .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007706f991 7 bytes {MOV EDX, 0x213a28; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007706fbd5 7 bytes {MOV EDX, 0x213a68; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007706fc05 7 bytes {MOV EDX, 0x2139a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007706fc1d 7 bytes {MOV EDX, 0x213928; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007706fc35 7 bytes {MOV EDX, 0x213b28; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007706fc65 7 bytes {MOV EDX, 0x213b68; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007706fce5 7 bytes {MOV EDX, 0x213ae8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007706fcfd 7 bytes {MOV EDX, 0x213aa8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007706fd49 7 bytes {MOV EDX, 0x213868; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007706fe41 7 bytes {MOV EDX, 0x2138a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077070099 7 bytes {MOV EDX, 0x213828; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770710a5 7 bytes {MOV EDX, 0x2139e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007707111d 7 bytes {MOV EDX, 0x213968; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077071321 7 bytes {MOV EDX, 0x2138e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075681465 2 bytes [68, 75] .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[4536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756814bb 2 bytes [68, 75] .text ... * 2 .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007706f991 7 bytes {MOV EDX, 0x38b628; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007706fbd5 7 bytes {MOV EDX, 0x38b668; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007706fc05 7 bytes {MOV EDX, 0x38b5a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007706fc1d 7 bytes {MOV EDX, 0x38b528; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007706fc35 7 bytes {MOV EDX, 0x38b728; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007706fc65 7 bytes {MOV EDX, 0x38b768; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007706fce5 7 bytes {MOV EDX, 0x38b6e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007706fcfd 7 bytes {MOV EDX, 0x38b6a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007706fd49 7 bytes {MOV EDX, 0x38b468; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007706fe41 7 bytes {MOV EDX, 0x38b4a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077070099 7 bytes {MOV EDX, 0x38b428; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770710a5 7 bytes {MOV EDX, 0x38b5e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007707111d 7 bytes {MOV EDX, 0x38b568; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077071321 7 bytes {MOV EDX, 0x38b4e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075681465 2 bytes [68, 75] .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756814bb 2 bytes [68, 75] .text ... * 2 .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007706f991 7 bytes {MOV EDX, 0x2f2228; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007706fbd5 7 bytes {MOV EDX, 0x2f2268; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007706fc05 7 bytes {MOV EDX, 0x2f21a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007706fc1d 7 bytes {MOV EDX, 0x2f2128; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007706fc35 7 bytes {MOV EDX, 0x2f2328; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007706fc65 7 bytes {MOV EDX, 0x2f2368; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007706fce5 7 bytes {MOV EDX, 0x2f22e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007706fcfd 7 bytes {MOV EDX, 0x2f22a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007706fd49 7 bytes {MOV EDX, 0x2f2068; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007706fe41 7 bytes {MOV EDX, 0x2f20a8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077070099 7 bytes {MOV EDX, 0x2f2028; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770710a5 7 bytes {MOV EDX, 0x2f21e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007707111d 7 bytes {MOV EDX, 0x2f2168; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077071321 7 bytes {MOV EDX, 0x2f20e8; JMP RDX} .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075681465 2 bytes [68, 75] .text C:\Users\michal\AppData\Local\Google\Chrome\Application\chrome.exe[3344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756814bb 2 bytes [68, 75] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556edaf8a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556edaf8a@1c66aafc0d82 0x38 0x96 0xA3 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556edaf8a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556edaf8a@1c66aafc0d82 0x38 0x96 0xA3 0x1F ... ---- EOF - GMER 2.1 ----