GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-19 15:49:51 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-60ZCT0 rev.12.01A12 298,09GB Running: 2nlmm250.exe; Driver: C:\Users\BRODA\AppData\Local\Temp\kwdoqpob.sys ---- System - GMER 2.1 ---- SSDT 972B8738 ZwAlpcConnectPort SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xC623C6E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xC623C800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xC623C010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xC623C4D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xC623C300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xC623C3E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xC623C120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xC623C210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xC623C5E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 370 81AD79C4 4 Bytes [38, 87, 2B, 97] .text ntkrnlpa.exe!KeSetTimerEx + 5F0 81AD7C44 8 Bytes [E0, C6, 23, C6, 00, C8, 23, ...] {LOOPNZ 0xffffffc8; AND EAX, ESI; ADD AL, CL; AND EAX, ESI} .text ntkrnlpa.exe!KeSetTimerEx + 624 81AD7C78 4 Bytes [10, C0, 23, C6] {ADC AL, AL; AND EAX, ESI} .text ntkrnlpa.exe!KeSetTimerEx + 640 81AD7C94 4 Bytes [D0, C4, 23, C6] {ROL AH, 0x1; AND EAX, ESI} .text ntkrnlpa.exe!KeSetTimerEx + 844 81AD7E98 8 Bytes [00, C3, 23, C6, E0, C3, 23, ...] {ADD BL, AL; AND EAX, ESI; LOOPNZ 0xffffffc9; AND EAX, ESI} .text ... .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DC0A340, 0x3D7A87, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVG\AVG2015\Notification\Launcher.exe[1576] ntdll.dll!NtWriteVirtualMemory 773492A8 5 Bytes JMP 6CC11000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!LdrLoadDll 77317933 5 Bytes JMP 73F11F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtCreateFile 77348008 5 Bytes JMP 623F9870 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtFlushBuffersFile 77348508 5 Bytes JMP 620ED335 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtQueryFullAttributesFile 77348A38 5 Bytes JMP 620ED5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtReadFile 77348C68 5 Bytes JMP 620ED390 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtReadFileScatter 77348C78 5 Bytes JMP 62D58330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtWriteFile 77349278 5 Bytes JMP 623FA7F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtWriteFileGather 77349288 5 Bytes JMP 62D582DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] ntdll.dll!NtWriteVirtualMemory 773492A8 5 Bytes JMP 6CC11000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] kernel32.dll!HeapSetInformation + 26 76D16E28 7 Bytes JMP 623F6164 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] kernel32.dll!LockResource + C 76D37F2B 7 Bytes JMP 62C99960 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] kernel32.dll!VirtualAllocEx + 54 76D3B86A 7 Bytes JMP 62C99983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] USER32.dll!GetWindowInfo 76C60560 5 Bytes JMP 62B9B65E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1700] GDI32.dll!StretchDIBits + 179 775075BB 7 Bytes JMP 62C998E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\MSN Messenger\msnmsgr.exe[2260] kernel32.dll!SetUnhandledExceptionFilter 76D16E2D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe .text C:\Program Files\AVG\AVG2015\avgcfgex.exe[3012] ntdll.dll!NtWriteVirtualMemory 773492A8 5 Bytes JMP 6CC11000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\BRODA\Downloads\2nlmm250.exe[6564] ntdll.dll!NtWriteVirtualMemory 773492A8 5 Bytes JMP 6CC11000 C:\Program Files\AVG\AVG2015\avghookx.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys Device \Driver\BTHUSB \Device\000000ac bthport.sys Device \Driver\BTHUSB \Device\000000ae bthport.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84943A90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186c0c240 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186c0c240 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----