GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-26 22:22:16 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: dhtzq35u.exe; Driver: C:\Users\Duda\AppData\Local\Temp\aftciaog.sys ---- System - GMER 2.2 ---- SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAllocateVirtualMemory [0x8CC0609C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAlpcConnectPort [0x8CC09544] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAlpcSendWaitReceivePort [0x8CC0907A] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAssignProcessToJobObject [0x8CC06C66] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwClose [0x8CC09B6A] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwConnectPort [0x8CC083F6] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateFile [0x8CC0793A] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateKey [0x8CC08AEE] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateProcess [0x8CC06EBC] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateProcessEx [0x8CC06F72] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateSection [0x8CC0725C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateThread [0x8CC05A0C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateThreadEx [0x8CC09D86] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwDeviceIoControlFile [0x8CC08C5E] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwDuplicateObject [0x8CC0D0F8] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwFsControlFile [0x8CC08F16] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwLoadDriver [0x8CC06572] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwMakeTemporaryObject [0x8CC09912] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenFile [0x8CC0772C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenProcess [0x8CC0CB50] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenSection [0x8CC0702C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenThread [0x8CC0CE00] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwProtectVirtualMemory [0x8CC05F20] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwQueueApcThread [0x8CC06D8E] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwReplaceKey [0x8CC09760] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwRequestPort [0x8CC08564] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwRequestWaitReplyPort [0x8CC07EF8] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwRestoreKey [0x8CC097EA] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSecureConnectPort [0x8CC0897E] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSetContextThread [0x8CC05B7C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSetSecurityObject [0x8CC096BA] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSetSystemInformation [0x8CC0676C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwShutdownSystem [0x8CC0987C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSuspendProcess [0x8CC05DF8] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSuspendThread [0x8CC05CD2] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSystemDebugControl [0x8CC06B98] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwTerminateProcess [0x8CC0CA48] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwTerminateThread [0x8CC0D2EA] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwUnloadDriver [0x8CC099A8] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwWriteVirtualMemory [0x8CC05890] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 83286F15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832C1232 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 832C8648 4 Bytes [9C, 60, C0, 8C] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 832C8654 4 Bytes [44, 95, C0, 8C] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 832C8698 4 Bytes [7A, 90, C0, 8C] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 832C86A8 4 Bytes [66, 6C, C0, 8C] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 832C86C4 4 Bytes [6A, 9B, C0, 8C] .text ... ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73CC560C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73CC56CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73CE24BF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73CE253A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73CD859B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73CD4D4F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73CD50F6] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73CD51CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73CD66F8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73CD82F2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73CD8841] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73CD90A2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73CDE245] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll IAT C:\Windows\Explorer.EXE[668] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73CD4C81] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23508_none_5c028c09a01213b0\gdiplus.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@1772BDC6 1099 ---- EOF - GMER 2.2 ----