GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-23 00:10:21 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1200BEVS-22UST0 rev.01.01A01 111,79GB Running: gmer.exe; Driver: C:\Users\Edzia\AppData\Local\Temp\fwddrkob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075fd1401 2 bytes JMP 75efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075fd1419 2 bytes JMP 75f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075fd1431 2 bytes JMP 75f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075fd144a 2 bytes CALL 75ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075fd14dd 2 bytes JMP 75f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075fd14f5 2 bytes JMP 75f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075fd150d 2 bytes JMP 75f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075fd1525 2 bytes JMP 75f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075fd153d 2 bytes JMP 75eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075fd1555 2 bytes JMP 75f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075fd156d 2 bytes JMP 75f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075fd1585 2 bytes JMP 75f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075fd159d 2 bytes JMP 75f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075fd15b5 2 bytes JMP 75eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075fd15cd 2 bytes JMP 75f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075fd16b2 2 bytes JMP 75f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075fd16bd 2 bytes JMP 75f87d4d C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [1968] entry point in ".rdata" section 00000000751871e6 .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000075fd1401 2 bytes JMP 75efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000075fd1419 2 bytes JMP 75f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000075fd1431 2 bytes JMP 75f88609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 0000000075fd144a 2 bytes CALL 75ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 0000000075fd14dd 2 bytes JMP 75f87efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 0000000075fd14f5 2 bytes JMP 75f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 0000000075fd150d 2 bytes JMP 75f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000075fd1525 2 bytes JMP 75f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 0000000075fd153d 2 bytes JMP 75eff088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000075fd1555 2 bytes JMP 75f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 0000000075fd156d 2 bytes JMP 75f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000075fd1585 2 bytes JMP 75f88222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 0000000075fd159d 2 bytes JMP 75f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 0000000075fd15b5 2 bytes JMP 75eff121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 0000000075fd15cd 2 bytes JMP 75f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 0000000075fd16b2 2 bytes JMP 75f88584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Edzia\Downloads\OTL.exe[880] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 0000000075fd16bd 2 bytes JMP 75f87d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\AUDIODG.EXE [956:2712] 000007fef82a7cfc Thread C:\Windows\system32\svchost.exe [248:2096] 000007fef8610ea8 Thread C:\Windows\system32\svchost.exe [248:2124] 000007fef8609db0 Thread C:\Windows\system32\svchost.exe [248:2284] 000007fef8611c94 Thread C:\Windows\system32\svchost.exe [248:2288] 000007fef860aa10 Thread C:\Windows\system32\svchost.exe [248:3292] 000007fef541d3c8 Thread C:\Windows\system32\svchost.exe [248:3304] 000007fef541d3c8 Thread C:\Windows\system32\svchost.exe [248:2732] 000007fef541d3c8 Thread C:\Windows\system32\svchost.exe [248:3244] 000007fef541d3c8 Thread C:\Windows\system32\svchost.exe [572:1812] 000007fef8f8f978 Thread C:\Windows\system32\svchost.exe [572:2328] 000007fef8ed5124 Thread C:\Windows\system32\svchost.exe [572:2372] 000007fef59afd00 Thread C:\Windows\System32\spoolsv.exe [1280:3040] 000007fef52c10c8 Thread C:\Windows\System32\spoolsv.exe [1280:4088] 000007fef4086144 Thread C:\Windows\System32\spoolsv.exe [1280:3088] 000007fef9575fd0 Thread C:\Windows\System32\spoolsv.exe [1280:3136] 000007fef4123438 Thread C:\Windows\System32\spoolsv.exe [1280:3164] 000007fef95763ec Thread C:\Windows\System32\spoolsv.exe [1280:3236] 000007fef7a25e5c Thread C:\Windows\System32\spoolsv.exe [1280:3248] 000007fef3074828 Thread C:\Windows\system32\svchost.exe [1308:2136] 000007fefb4b2888 Thread C:\Windows\system32\svchost.exe [1308:2140] 000007fefb652940 Thread C:\Windows\system32\svchost.exe [1308:3184] 000007fefb4b2a40 Thread C:\Windows\system32\svchost.exe [1408:2320] 000007fef7b18470 Thread C:\Windows\system32\svchost.exe [1408:2324] 000007fef7b22418 Thread C:\Windows\system32\svchost.exe [1408:2616] 000007fef427f130 Thread C:\Windows\system32\svchost.exe [1408:1648] 000007fef4274734 Thread C:\Windows\system32\svchost.exe [1408:3708] 000007fef4274734 Thread C:\Windows\system32\taskhost.exe [1468:1496] 000007fef9652740 Thread C:\Windows\system32\taskhost.exe [1468:1504] 000007fef9641f38 Thread C:\Windows\system32\taskhost.exe [1468:1984] 000007fef8711010 Thread C:\Windows\System32\svchost.exe [2576:3212] 000007fef8ed9874 Thread C:\Windows\System32\svchost.exe [1548:1616] 000007fef2c89688 ---- Processes - GMER 2.1 ---- Process C:\Users\Edzia\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe (*** suspicious ***) @ C:\Users\Edzia\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe [4072](2014-01-28 17:36:04) 0000000000400000 ---- EOF - GMER 2.1 ----