GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-09 15:23:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD3200AAKS-75VYA0 rev.12.01B02 298,09GB Running: pozenxzy.exe; Driver: C:\Users\Damian\AppData\Local\Temp\awwdrpog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000d3f00 7 bytes [80, 9D, F3, FF, 01, A9, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d3f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f5fcb0 5 bytes JMP 00000001002a091c .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f5fe14 5 bytes JMP 00000001002a0048 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f5fea8 5 bytes JMP 00000001002a02ee .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f60004 5 bytes JMP 00000001002a04b2 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f60038 5 bytes JMP 00000001002a09fe .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f60068 5 bytes JMP 00000001002a0ae0 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f60084 5 bytes JMP 0000000100020050 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f6079c 5 bytes JMP 00000001002a012a .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f6088c 5 bytes JMP 00000001002a0758 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f608a4 5 bytes JMP 00000001002a0676 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f60df4 5 bytes JMP 00000001002a03d0 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f61920 5 bytes JMP 00000001002a0594 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f61be4 5 bytes JMP 00000001002a083a .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076f61d70 5 bytes JMP 00000001002a020c .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\syswow64\user32.DLL!RecordShutdownReason + 882 0000000075d71492 7 bytes JMP 00000001002a0bc2 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075f9524f 7 bytes JMP 00000001002c012c .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075f953d0 7 bytes JMP 00000001002c03d8 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075f95677 7 bytes JMP 00000001002c0210 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075f9589a 7 bytes JMP 00000001002a0e6a .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075f95a1d 7 bytes JMP 00000001002c05a0 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075f95c9b 7 bytes JMP 00000001002c02f4 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075f95d87 7 bytes JMP 00000001002c04bc .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075f97240 7 bytes JMP 00000001002c0048 .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076611465 2 bytes [61, 76] .text C:\Users\Damian\Downloads\OTL.exe[516] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000766114bb 2 bytes [61, 76] .text ... * 2 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f5fcb0 5 bytes JMP 000000010026091c .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f5fe14 5 bytes JMP 0000000100260048 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f5fea8 5 bytes JMP 00000001002602ee .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f60004 5 bytes JMP 00000001002604b2 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f60038 5 bytes JMP 00000001002609fe .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f60068 5 bytes JMP 0000000100260ae0 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f60084 5 bytes JMP 0000000100020050 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f6079c 5 bytes JMP 000000010026012a .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f6088c 5 bytes JMP 0000000100260758 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f608a4 5 bytes JMP 0000000100260676 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f60df4 5 bytes JMP 00000001002603d0 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f61920 5 bytes JMP 0000000100260594 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f61be4 5 bytes JMP 000000010026083a .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000076f61d70 5 bytes JMP 000000010026020c .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075f9524f 7 bytes JMP 0000000100260f52 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075f953d0 7 bytes JMP 0000000100340210 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075f95677 1 byte JMP 0000000100340048 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075f95679 5 bytes {JMP 0xffffffff8a3aa9d1} .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075f9589a 7 bytes JMP 0000000100260ca6 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075f95a1d 7 bytes JMP 00000001003403d8 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075f95c9b 7 bytes JMP 000000010034012c .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075f95d87 7 bytes JMP 00000001003402f4 .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075f97240 7 bytes JMP 0000000100260e6e .text C:\Users\Damian\Downloads\pozenxzy.exe[2496] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075d71492 7 bytes JMP 00000001003404bc ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [880:504] 000007fefb006204 Thread C:\Windows\System32\svchost.exe [880:1112] 000007fefa5a5428 Thread C:\Windows\System32\svchost.exe [880:1940] 000007fef7a36b8c Thread C:\Windows\System32\svchost.exe [880:1952] 000007fef7a31d88 Thread C:\Windows\System32\svchost.exe [880:564] 000007fefb772070 Thread C:\Windows\system32\svchost.exe [424:1088] 000007fefa818274 Thread C:\Windows\system32\svchost.exe [424:1620] 000007fefa818274 Thread C:\Windows\System32\spoolsv.exe [1240:1728] 000007fef7e710c8 Thread C:\Windows\System32\spoolsv.exe [1240:1740] 000007fef7c76144 Thread C:\Windows\System32\spoolsv.exe [1240:1744] 000007fef7a55fd0 Thread C:\Windows\System32\spoolsv.exe [1240:1748] 000007fef7a23438 Thread C:\Windows\System32\spoolsv.exe [1240:1752] 000007fef7a563ec Thread C:\Windows\System32\spoolsv.exe [1240:1760] 000007fef85b5e5c Thread C:\Windows\System32\spoolsv.exe [1240:1764] 000007fef85e5074 Thread C:\Windows\system32\svchost.exe [1348:2304] 000007fefaa52888 Thread C:\Windows\system32\svchost.exe [1348:2308] 000007fefaa42940 Thread C:\Windows\system32\svchost.exe [1348:3500] 000007fefaa52a40 Thread C:\Windows\system32\svchost.exe [1560:3432] 000007fef90644e0 Thread C:\Windows\system32\svchost.exe [2560:3636] 000007feefdb8470 Thread C:\Windows\system32\svchost.exe [2560:3592] 000007feefdc2418 ---- EOF - GMER 2.1 ----