GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-08 11:25:55 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250620A rev.3.AAE 232,89GB Running: gmer.exe; Driver: C:\Users\AwwMiu\AppData\Local\Temp\afrdypob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83090A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830CA212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .xreloc C:\Windows\system32\drivers\ps6alz4b.sys unknown last section [0x88C87000, 0x99C, 0x40000040] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7473249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74715652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74715710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7473251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7472857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74724D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74728824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74729085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7472E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74724C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Threads - GMER 2.1 ---- Thread System [4:3752] 9E76DF2E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 712 Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Driver Detective Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Driver Detective@EventMessageFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Kernel_0_0_cab_06690e90 ---- EOF - GMER 2.1 ----