GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-27 12:30:34 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001d ST1000LM024_HN-M101MBB rev.2AR20002 931,51GB Running: wcog0kzx.exe; Driver: C:\Users\SAWOMI~1\AppData\Local\Temp\axtdrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffa4ded0ed0 5 bytes JMP 00007fface000450 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffa4ded0f20 5 bytes JMP 00007fface000440 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa4ded1080 5 bytes JMP 00007fface000360 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffa4ded10d0 1 byte JMP 00007fface000460 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00007ffa4ded10d2 3 bytes {JMP 0xffffffff8012f390} .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffa4ded10e0 5 bytes JMP 00007fface0003d0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffa4ded1190 5 bytes JMP 00007fface000310 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa4ded11c0 5 bytes JMP 00007fface0003a0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffa4ded11e0 5 bytes JMP 00007fface000380 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffa4ded1220 5 bytes JMP 00007fface0002d0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffa4ded12a0 5 bytes JMP 00007fface0002c0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffa4ded12c0 5 bytes JMP 00007fface000300 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffa4ded1300 5 bytes JMP 00007fface0003b0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffa4ded1350 1 byte JMP 00007fface0003e0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00007ffa4ded1352 3 bytes {JMP 0xffffffff8012f090} .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffa4ded14b0 5 bytes JMP 00007fface000220 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffa4ded16a0 5 bytes JMP 00007fface000470 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffa4ded16d0 5 bytes JMP 00007fface000390 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffa4ded17f0 5 bytes JMP 00007fface0002e0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffa4ded1810 5 bytes JMP 00007fface000340 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffa4ded1880 5 bytes JMP 00007fface000280 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffa4ded1910 1 byte JMP 00007fface0002a0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00007ffa4ded1912 3 bytes JMP 00007ffa4ded9929 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa4ded1930 1 byte JMP 00007fface0003c0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00007ffa4ded1932 3 bytes {JMP 0xffffffff8012ea90} .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffa4ded1940 5 bytes JMP 00007fface000320 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffa4ded19f0 5 bytes JMP 00007fface000400 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffa4ded1a20 5 bytes JMP 00007fface000230 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffa4ded1d40 1 byte JMP 00007fface0001d0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver + 2 00007ffa4ded1d42 3 bytes {JMP 0xffffffff8012e490} .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffa4ded1e00 5 bytes JMP 00007fface000240 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffa4ded1e30 5 bytes JMP 00007fface000480 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffa4ded1e40 5 bytes JMP 00007fface000490 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffa4ded1e70 5 bytes JMP 00007fface0002f0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffa4ded1e80 5 bytes JMP 00007fface000350 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffa4ded1ee0 5 bytes JMP 00007fface000290 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffa4ded1f30 5 bytes JMP 00007fface0002b0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffa4ded1f60 5 bytes JMP 00007fface000370 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffa4ded1f70 5 bytes JMP 00007fface000330 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffa4ded2280 5 bytes JMP 00007fface000430 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffa4ded2480 5 bytes JMP 00007fface000250 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffa4ded2490 5 bytes JMP 00007fface000260 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa4ded24b0 5 bytes JMP 00007fface0003f0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffa4ded2690 5 bytes JMP 00007fface0001e0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffa4ded26a0 5 bytes JMP 00007fface000200 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffa4ded2730 5 bytes JMP 00007fface0001f0 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffa4ded27a0 5 bytes JMP 00007fface000410 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffa4ded27b0 5 bytes JMP 00007fface000420 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffa4ded27c0 5 bytes JMP 00007fface000210 .text C:\WINDOWS\system32\AUDIODG.EXE[2880] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffa4ded28d0 5 bytes JMP 00007fface000270 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [2648:5216] fffff960009792d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----