GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-09 14:34:11 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 TOSHIBA_MK2555GSXF rev.FH405B 232,89GB Running: cl6hp2cj.exe; Driver: C:\Temp\aftcaaob.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8DAE8570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8DAE85D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8DAE85B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8DAE8590] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82E8BEC5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC6272 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ECD7A8 4 Bytes [70, 85, AE, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82ECD8B8 4 Bytes [D0, 85, AE, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82ECDBC4 4 Bytes [B0, 85, AE, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82ECDC0C 4 Bytes [90, 85, AE, 8D] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[656] kernel32.dll!SetUnhandledExceptionFilter 7579F6AB 4 Bytes [C2, 04, 00, 00] ---- Threads - GMER 2.2 ---- Thread System [4:256] 860F0560 ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@3CF3551B 1606 ---- EOF - GMER 2.2 ----