GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-06 11:03:27 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3160812AS rev.3.AAD 149,05GB Running: xbuc0ytp.exe; Driver: C:\Users\ADMIN\AppData\Local\Temp\uwddakob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8E6686F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8E668820] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8E668010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8E6684E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8E668300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8E6683F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8E668120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8E668210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8E6685F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1499 82C889F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC2992 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82CC9E3C 8 Bytes [F0, 86, 66, 8E, 20, 88, 66, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82CC9E84 4 Bytes [10, 80, 66, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 82CC9EA4 4 Bytes JMP E9517F2B .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 82CCA144 8 Bytes [00, 83, 66, 8E, F0, 83, 66, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82CCA154 8 Bytes [20, 81, 66, 8E, 10, 82, 66, ...] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[2196] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\svchost.exe[2196] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3128] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3128] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3128] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\WUDFHost.exe[3188] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\WUDFHost.exe[3188] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\WUDFHost.exe[3188] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgnsx.exe[3324] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgnsx.exe[3324] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgnsx.exe[3324] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgemcx.exe[3340] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgemcx.exe[3340] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgemcx.exe[3340] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3760] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3760] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3760] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Google\Update\1.3.27.5\GoogleCrashHandler.exe[3936] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Google\Update\1.3.27.5\GoogleCrashHandler.exe[3936] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Google\Update\1.3.27.5\GoogleCrashHandler.exe[3936] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4036] ntdll.dll!NtMapViewOfSection 76E15C18 5 Bytes JMP 70BC19C0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4036] ntdll.dll!NtWriteVirtualMemory 76E16A88 5 Bytes JMP 70BC15E0 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4036] kernel32.dll!CreateProcessInternalW 744F08A2 5 Bytes JMP 70BC1750 C:\Program Files\AVG\AVG2015\avghookx.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- EOF - GMER 2.1 ----