GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-02 19:42:12 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1600BEVT-22A23T0 rev.01.01A01 149,05GB Running: zc744u3i.exe; Driver: C:\Users\Arcadius\AppData\Local\Temp\kwdorpob.sys ---- System - GMER 2.1 ---- SSDT 84923164 ZwCreateKey SSDT 8492423C ZwCreateMutant SSDT 8492114C ZwCreateProcess SSDT 84921114 ZwCreateProcessEx SSDT 84924204 ZwCreateSymbolicLinkObject SSDT 849242E4 ZwCreateThread SSDT 849242AC ZwCreateThreadEx SSDT 848E7E7C ZwCreateUserProcess SSDT 849240B4 ZwDebugActiveProcess SSDT 849230F4 ZwDeleteKey SSDT 84924414 ZwDeleteValueKey SSDT 849241CC ZwDuplicateObject SSDT 8492415C ZwGetContextThread SSDT 84924274 ZwLoadDriver SSDT 848E7E44 ZwOpenProcess SSDT 84924354 ZwOpenSection SSDT 848E7B64 ZwOpenThread SSDT 849230BC ZwRenameKey SSDT 8492400C ZwRestoreKey SSDT 849240EC ZwResumeThread SSDT 84924124 ZwSetContextThread SSDT 84924194 ZwSetSystemInformation SSDT 8492312C ZwSetValueKey SSDT 8492407C ZwSystemDebugControl SSDT 848E7B2C ZwTerminateProcess SSDT 8492319C ZwTerminateThread SSDT 8492431C ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 81A4CA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81A86212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 81A8D554 4 Bytes [64, 31, 92, 84] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 81A8D564 4 Bytes [3C, 42, 92, 84] .text ntkrnlpa.exe!KeRemoveQueueEx + 11E3 81A8D578 8 Bytes [4C, 11, 92, 84, 14, 11, 92, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11FF 81A8D594 12 Bytes [04, 42, 92, 84, E4, 42, 92, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 121B 81A8D5B0 4 Bytes [7C, 7E, 8E, 84] .text ... ---- Devices - GMER 2.1 ---- Device \Driver\kbdclass \Device\KeyboardClass0 84A77120 Device \Driver\kbdclass \Device\KeyboardClass1 84A77120 AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1628906824-3486063055-4012672184-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 530092795 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1628906824-3486063055-4012672184-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30351410 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1628906824-3486063055-4012672184-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 531340797 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1628906824-3486063055-4012672184-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30351410 ---- EOF - GMER 2.1 ----