GMER 2.1.19115 - http://www.gmer.net Rootkit scan 2013-03-02 06:16:21 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GJ00 298,09GB Running: lr9ybhgw.exe; Driver: C:\Users\heniu\AppData\Local\Temp\awddikob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Web Assistant\ExtensionUpdaterService.exe[1924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Program Files\Web Assistant\ExtensionUpdaterService.exe[1924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Windows\igfxtray.exe[3188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Windows\igfxtray.exe[3188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Users\heniu\AppData\Local\Temp\zabijak.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Temp\zabijak.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2624] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000074bf11a8 2 bytes [BF, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2624] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000074bf13a8 2 bytes [BF, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2624] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074bf1422 2 bytes [BF, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2624] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074bf1498 2 bytes [BF, 74] .text C:\Users\heniu\Desktop\OTL.exe[3008] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\Desktop\OTL.exe[3008] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [792] entry point in ".rdata" section 00000000752871e6 .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007792f941 7 bytes {MOV EDX, 0x150628; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007792fb85 7 bytes {MOV EDX, 0x150668; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007792fbb5 7 bytes {MOV EDX, 0x1505a8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007792fbcd 7 bytes {MOV EDX, 0x150528; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007792fbe5 7 bytes {MOV EDX, 0x150728; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007792fc15 7 bytes {MOV EDX, 0x150768; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007792fc95 7 bytes {MOV EDX, 0x1506e8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007792fcad 7 bytes {MOV EDX, 0x1506a8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007792fcf9 7 bytes {MOV EDX, 0x150468; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007792fdf1 7 bytes {MOV EDX, 0x1504a8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077930049 7 bytes {MOV EDX, 0x150428; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077931055 7 bytes {MOV EDX, 0x1505e8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000779310cd 7 bytes {MOV EDX, 0x150568; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000779312d1 7 bytes {MOV EDX, 0x1504e8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007792f941 7 bytes {MOV EDX, 0xb5de28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007792fb85 7 bytes {MOV EDX, 0xb5de68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007792fbb5 7 bytes {MOV EDX, 0xb5dda8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007792fbcd 7 bytes {MOV EDX, 0xb5dd28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007792fbe5 7 bytes {MOV EDX, 0xb5df28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007792fc15 7 bytes {MOV EDX, 0xb5df68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007792fc95 7 bytes {MOV EDX, 0xb5dee8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007792fcad 7 bytes {MOV EDX, 0xb5dea8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007792fcf9 7 bytes {MOV EDX, 0xb5dc68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007792fdf1 7 bytes {MOV EDX, 0xb5dca8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077930049 7 bytes {MOV EDX, 0xb5dc28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077931055 7 bytes {MOV EDX, 0xb5dde8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000779310cd 7 bytes {MOV EDX, 0xb5dd68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000779312d1 7 bytes {MOV EDX, 0xb5dce8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007792f941 7 bytes {MOV EDX, 0x8bae28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007792fb85 7 bytes {MOV EDX, 0x8bae68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007792fbb5 7 bytes {MOV EDX, 0x8bada8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007792fbcd 7 bytes {MOV EDX, 0x8bad28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007792fbe5 7 bytes {MOV EDX, 0x8baf28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007792fc15 7 bytes {MOV EDX, 0x8baf68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007792fc95 7 bytes {MOV EDX, 0x8baee8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007792fcad 7 bytes {MOV EDX, 0x8baea8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007792fcf9 7 bytes {MOV EDX, 0x8bac68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007792fdf1 7 bytes {MOV EDX, 0x8baca8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077930049 7 bytes {MOV EDX, 0x8bac28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077931055 7 bytes {MOV EDX, 0x8bade8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000779310cd 7 bytes {MOV EDX, 0x8bad68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000779312d1 7 bytes {MOV EDX, 0x8bace8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007792f941 7 bytes {MOV EDX, 0xf05e28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007792fb85 7 bytes {MOV EDX, 0xf05e68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007792fbb5 7 bytes {MOV EDX, 0xf05da8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007792fbcd 7 bytes {MOV EDX, 0xf05d28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007792fbe5 7 bytes {MOV EDX, 0xf05f28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007792fc15 7 bytes {MOV EDX, 0xf05f68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007792fc95 7 bytes {MOV EDX, 0xf05ee8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007792fcad 7 bytes {MOV EDX, 0xf05ea8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007792fcf9 7 bytes {MOV EDX, 0xf05c68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007792fdf1 7 bytes {MOV EDX, 0xf05ca8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077930049 7 bytes {MOV EDX, 0xf05c28; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077931055 7 bytes {MOV EDX, 0xf05de8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000779310cd 7 bytes {MOV EDX, 0xf05d68; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000779312d1 7 bytes {MOV EDX, 0xf05ce8; JMP RDX} .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778e1465 2 bytes [8E, 77] .text C:\Users\heniu\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778e14bb 2 bytes [8E, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1292:248] 000007fefb422a88 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1292:3880] 000007fef15bc0b0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1292:2740] 000007fef15bc0b0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----