GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-15 18:07:52 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000063 INTEL_SS rev.4PC1 111,79GB Running: 9lcp2pcr.exe; Driver: C:\Users\Artur\AppData\Local\Temp\pwldqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8ECC06E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8ECC0800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8ECC0010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8ECC04D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8ECC0300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8ECC03E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8ECC0120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8ECC0210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8ECC05E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E7CA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB6212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82EBD6EC 8 Bytes [E0, 06, CC, 8E, 00, 08, CC, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82EBD734 4 Bytes [10, 00, CC, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 82EBD754 4 Bytes [D0, 04, CC, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 82EBD9F4 8 Bytes [00, 03, CC, 8E, E0, 03, CC, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82EBDA04 8 Bytes [20, 01, CC, 8E, 10, 02, CC, ...] .text ... ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- EOF - GMER 2.1 ----