GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-22 23:01:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GJ00 465.76GB Running: j09vlipz.exe; Driver: C:\Users\cat\AppData\Local\Temp\pwldqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 698 fffff800031f308a 7 bytes [00, 00, 00, 00, 00, 00, 03] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 706 fffff800031f3092 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .reloc C:\Windows\system32\services.exe [484] section is executable [0x4A8, 0xA0000020] 0000000100052000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2392] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 00000000761339ca 7 bytes JMP 00000001004df630 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075411465 2 bytes [41, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754114bb 2 bytes [41, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007785f991 7 bytes {MOV EDX, 0x246228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007785fbd5 7 bytes {MOV EDX, 0x246268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007785fc05 7 bytes {MOV EDX, 0x2461a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007785fc1d 7 bytes {MOV EDX, 0x246128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007785fc35 7 bytes {MOV EDX, 0x246328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007785fc65 7 bytes {MOV EDX, 0x246368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007785fce5 7 bytes {MOV EDX, 0x2462e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007785fcfd 7 bytes {MOV EDX, 0x2462a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007785fd49 7 bytes {MOV EDX, 0x246068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007785fe41 7 bytes {MOV EDX, 0x2460a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077860099 7 bytes {MOV EDX, 0x246028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778610a5 7 bytes {MOV EDX, 0x2461e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007786111d 7 bytes {MOV EDX, 0x246168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077861321 7 bytes {MOV EDX, 0x2460e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075411465 2 bytes [41, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754114bb 2 bytes [41, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007785f991 7 bytes {MOV EDX, 0x694228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007785fbd5 7 bytes {MOV EDX, 0x694268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007785fc05 7 bytes {MOV EDX, 0x6941a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007785fc1d 7 bytes {MOV EDX, 0x694128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007785fc35 7 bytes {MOV EDX, 0x694328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007785fc65 7 bytes {MOV EDX, 0x694368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007785fce5 7 bytes {MOV EDX, 0x6942e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007785fcfd 7 bytes {MOV EDX, 0x6942a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007785fd49 7 bytes {MOV EDX, 0x694068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007785fe41 7 bytes {MOV EDX, 0x6940a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077860099 7 bytes {MOV EDX, 0x694028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778610a5 7 bytes {MOV EDX, 0x6941e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007786111d 7 bytes {MOV EDX, 0x694168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077861321 7 bytes {MOV EDX, 0x6940e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075411465 2 bytes [41, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754114bb 2 bytes [41, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007785f991 7 bytes {MOV EDX, 0x68b628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007785fbd5 7 bytes {MOV EDX, 0x68b668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007785fc05 7 bytes {MOV EDX, 0x68b5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007785fc1d 7 bytes {MOV EDX, 0x68b528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007785fc35 7 bytes {MOV EDX, 0x68b728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007785fc65 7 bytes {MOV EDX, 0x68b768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007785fce5 7 bytes {MOV EDX, 0x68b6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007785fcfd 7 bytes {MOV EDX, 0x68b6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007785fd49 7 bytes {MOV EDX, 0x68b468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007785fe41 7 bytes {MOV EDX, 0x68b4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077860099 7 bytes {MOV EDX, 0x68b428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778610a5 7 bytes {MOV EDX, 0x68b5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007786111d 7 bytes {MOV EDX, 0x68b568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077861321 7 bytes {MOV EDX, 0x68b4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075411465 2 bytes [41, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754114bb 2 bytes [41, 75] .text ... * 2 .text C:\Users\cat\Downloads\OTL.exe[1020] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075411465 2 bytes [41, 75] .text C:\Users\cat\Downloads\OTL.exe[1020] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000754114bb 2 bytes [41, 75] .text ... * 2 .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\syswow64\user32.dll!GetCursorPos 00000000762e1218 5 bytes JMP 00000001002e000a .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamAorW 00000000762fce54 5 bytes JMP 00000001002f000a .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 0000000076fb9d0b 5 bytes JMP 00000001002d000a .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000074d0451e 5 bytes JMP 000000010024000a .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000074cf11a8 2 bytes [CF, 74] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000074cf13a8 2 bytes [CF, 74] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074cf1422 2 bytes [CF, 74] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074cf1498 2 bytes [CF, 74] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075411465 2 bytes [41, 75] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754114bb 2 bytes [41, 75] .text ... * 2 .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000072711b41 2 bytes [71, 72] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000072711be8 2 bytes [71, 72] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000072711c20 2 bytes [71, 72] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000072711cd2 2 bytes [71, 72] .text C:\Windows\SysWOW64\svchost.exe[2944] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000072711cf2 2 bytes [71, 72] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [484:516] 0000000000191e58 Thread C:\Windows\system32\services.exe [484:620] 00000000001a1808 Thread C:\Windows\system32\services.exe [484:628] 00000000001c4c70 Thread C:\Windows\system32\services.exe [484:632] 00000000001c4550 Thread C:\Windows\system32\services.exe [484:636] 00000000001c8ea0 Thread C:\Windows\SysWOW64\svchost.exe [2944:4004] 00000000746785a0 Thread C:\Windows\SysWOW64\svchost.exe [2944:2328] 0000000074677f90 Thread C:\Windows\SysWOW64\svchost.exe [2944:1188] 0000000074677f50 ---- Processes - GMER 2.1 ---- Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\wininit.exe [400] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-06-21 11:04:09) 000007fefd140000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [732] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-06-21 11:04:09) 000007fefd140000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [836] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-06-21 11:04:09) 000007fefd140000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [952] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-06-21 11:04:09) 000007fefd140000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a27abb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2c8158b9a9fd Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbd9a40b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbd9a40b@68ebae69a598 0x6F 0x67 0xFB 0x41 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a27abb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2c8158b9a9fd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbd9a40b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbd9a40b@68ebae69a598 0x6F 0x67 0xFB 0x41 ... ---- EOF - GMER 2.1 ----