GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-21 13:48:24 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS542525K9SA00 rev.BBFOC33P 232,89GB Running: qvmtyo96.exe; Driver: C:\Users\Tosia\AppData\Local\Temp\fwddykob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8DC466E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8DC46800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8DC46010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8DC464D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8DC46300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8DC463E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8DC46120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8DC46210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8DC465E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82A75A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AAF212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82AB66EC 8 Bytes [E0, 66, C4, 8D, 00, 68, C4, ...] {LOOPNZ 0x68; LES ECX, [EBP-0x723b9800]} .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82AB6734 2 Bytes [10, 60] .text ntkrnlpa.exe!KeRemoveQueueEx + 13A2 82AB6737 1 Byte [8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 82AB6754 4 Bytes [D0, 64, C4, 8D] {SHL BYTE [ESP+EAX*8-0x73], 0x1} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 82AB69F4 8 Bytes [00, 63, C4, 8D, E0, 63, C4, ...] .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7334249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73325652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73325710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7334251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7333857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73334D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [733350D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [733351AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [733366DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [733382D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73338824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73339085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7333E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73334C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@598277EA 255 ---- EOF - GMER 2.1 ----