GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-04 13:16:12 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HTS541616J9SA00 rev.SB4OC7KP 149,05GB Running: r24k1gwh.exe; Driver: C:\Users\adam\AppData\Local\Temp\kwtdrpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x9CE015D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x9CE01700] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x9CE01010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x9CE01300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x9CE013E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x9CE01120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x9CE01210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x9CE014D0] INT 0x61 ? 9CA2C050 INT 0x71 ? 9CA2C2D0 INT 0x72 ? 9CA2CCD0 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 3BD 820BCB00 8 Bytes [D0, 15, E0, 9C, 00, 17, E0, ...] {RCL BYTE [0x17009ce0], 0x1; LOOPNZ 0xffffffa4} .text ntkrnlpa.exe!KeSetEvent + 3F1 820BCB34 4 Bytes [10, 10, E0, 9C] {ADC [EAX], DL; LOOPNZ 0xffffffa0} .text ntkrnlpa.exe!KeSetEvent + 611 820BCD54 8 Bytes [00, 13, E0, 9C, E0, 13, E0, ...] {ADD [EBX], DL; LOOPNZ 0xffffffa0; LOOPNZ 0x19; LOOPNZ 0xffffffa4} .text ntkrnlpa.exe!KeSetEvent + 621 820BCD64 1 Byte [20] .text ntkrnlpa.exe!KeSetEvent + 621 820BCD64 8 Bytes [20, 11, E0, 9C, 10, 12, E0, ...] {AND [ECX], DL; LOOPNZ 0xffffffa0; ADC [EDX], DL; LOOPNZ 0xffffffa4} .text ... ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1075308277-88749887-537698101-1000@RefCount 3 ---- EOF - GMER 2.1 ----