GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-25 08:52:26 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC40C 232,89GB Running: 6m7bhl2v.exe; Driver: C:\Users\DZIEDZ~1\AppData\Local\Temp\pxtyrkob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8EE585D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8EE58700] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8EE58010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8EE58300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8EE583E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8EE58120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8EE58210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8EE584D0] INT 0xA0 ? 95389CD0 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 3BD 826F2A08 8 Bytes [D0, 85, E5, 8E, 00, 87, E5, ...] {ROL BYTE [EBP-0x78ff711b], 0x1; IN EAX, 0x8e} .text ntkrnlpa.exe!KeSetEvent + 3F1 826F2A3C 4 Bytes [10, 80, E5, 8E] .text ntkrnlpa.exe!KeSetEvent + 611 826F2C5C 8 Bytes [00, 83, E5, 8E, E0, 83, E5, ...] {ADD [EBX-0x7c1f711b], AL; IN EAX, 0x8e} .text ntkrnlpa.exe!KeSetEvent + 621 826F2C6C 8 Bytes [20, 81, E5, 8E, 10, 82, E5, ...] {AND [ECX-0x7def711b], AL; IN EAX, 0x8e} .text ntkrnlpa.exe!KeSetEvent + 681 826F2CCC 4 Bytes [D0, 84, E5, 8E] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[3016] ntdll.dll!NtMapViewOfSection + 6 777649BA 4 Bytes [18, 10, 36, 6C] {SBB [EAX], DL; INS BYTE [ES:EDI], DX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3016] ntdll.dll!NtMapViewOfSection + B 777649BF 1 Byte [E2] .text C:\Windows\Explorer.EXE[3800] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 75ADB37C 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtCreateFile + 6 7776426A 4 Bytes [28, 2C, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtCreateFile + B 7776426F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtMapViewOfSection + 6 777649BA 4 Bytes [28, 2F, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtMapViewOfSection + B 777649BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenFile + 6 77764A4A 4 Bytes [68, 2C, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenFile + B 77764A4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenProcess + 6 77764ACA 4 Bytes [A8, 2D, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenProcess + B 77764ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenProcessToken + B 77764ADF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenProcessTokenEx + 6 77764AEA 4 Bytes [A8, 2E, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenProcessTokenEx + B 77764AEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenThread + 6 77764B3A 4 Bytes [68, 2D, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenThread + B 77764B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenThreadToken + 6 77764B4A 4 Bytes [68, 2E, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenThreadToken + B 77764B4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtOpenThreadTokenEx + B 77764B5F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtQueryAttributesFile + 6 77764BEA 4 Bytes [A8, 2C, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtQueryAttributesFile + B 77764BEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtQueryFullAttributesFile + B 77764C9F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtSetInformationFile + 6 7776517A 4 Bytes [28, 2D, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtSetInformationFile + B 7776517F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtSetInformationThread + 6 777651CA 4 Bytes [28, 2E, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtSetInformationThread + B 777651CF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtUnmapViewOfSection + 6 7776546A 4 Bytes [68, 2F, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4140] ntdll.dll!NtUnmapViewOfSection + B 7776546F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtCreateFile + 6 7776426A 4 Bytes [28, 8C, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtCreateFile + B 7776426F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtMapViewOfSection + 6 777649BA 4 Bytes [28, 8F, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtMapViewOfSection + B 777649BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenFile + 6 77764A4A 4 Bytes [68, 8C, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenFile + B 77764A4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenProcess + 6 77764ACA 4 Bytes [A8, 8D, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenProcess + B 77764ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenProcessToken + B 77764ADF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenProcessTokenEx + 6 77764AEA 4 Bytes [A8, 8E, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenProcessTokenEx + B 77764AEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenThread + 6 77764B3A 4 Bytes [68, 8D, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenThread + B 77764B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenThreadToken + 6 77764B4A 4 Bytes [68, 8E, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenThreadToken + B 77764B4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtOpenThreadTokenEx + B 77764B5F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtQueryAttributesFile + 6 77764BEA 4 Bytes [A8, 8C, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtQueryAttributesFile + B 77764BEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtQueryFullAttributesFile + B 77764C9F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtSetInformationFile + 6 7776517A 4 Bytes [28, 8D, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtSetInformationFile + B 7776517F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtSetInformationThread + 6 777651CA 4 Bytes [28, 8E, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtSetInformationThread + B 777651CF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtUnmapViewOfSection + 6 7776546A 4 Bytes [68, 8F, AA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4300] ntdll.dll!NtUnmapViewOfSection + B 7776546F 1 Byte [E2] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73AB7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73AFB4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73ABBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73AAF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73AB75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73AAE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73AE73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73ABDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73AAFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73AAFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73AA71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73B3CB12] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73ADC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73AAD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73AA6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73AA687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73AB2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----