GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-15 20:22:06 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS723216L9A360 rev.FC2OC60A 149,05GB Running: yw9zhm8i.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x92A5C6F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x92A5C820] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x92A5C010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x92A5C4E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x92A5C300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x92A5C3F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x92A5C120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x92A5C210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x92A5C5F0] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 8344BF15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83486232 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 8348D8AC 8 Bytes [F0, C6, A5, 92, 20, C8, A5, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 8348D8F4 4 Bytes [10, C0, A5, 92] {ADC AL, AL; MOVSD ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 8348D914 4 Bytes [E0, C4, A5, 92] {LOOPNZ 0xffffffc6; MOVSD ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 8348DBB4 8 Bytes [00, C3, A5, 92, F0, C3, A5, ...] {ADD BL, AL; MOVSD ; XCHG EDX, EAX; RET ; MOVSD ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 8348DBC4 8 Bytes [20, C1, A5, 92, 10, C2, A5, ...] {AND CL, AL; MOVSD ; XCHG EDX, EAX; ADC DL, AL; MOVSD ; XCHG EDX, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x93C13000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\sppsvc.exe[2820] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\PnkBstrA.exe[3632] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Skype\Updater\Updater.exe[3676] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[3736] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgnsx.exe[3796] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[3812] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3820] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Common Files\Steam\SteamService.exe[4148] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[4224] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchProtocolHost.exe[4824] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchFilterHost.exe[4852] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\User\Downloads\yw9zhm8i.exe[5124] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\taskeng.exe[5436] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtCreateEvent 76ED5110 5 Bytes JMP 5AF62860 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtCreateMutant 76ED51B0 5 Bytes JMP 5AF628A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtCreateSemaphore 76ED5260 5 Bytes JMP 5AF628E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtCreateUserProcess 76ED52E0 5 Bytes JMP 5AF62920 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtMapViewOfSection 76ED5790 5 Bytes JMP 5AF625C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtOpenEvent 76ED5820 5 Bytes JMP 5AF62880 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtOpenMutant 76ED58C0 5 Bytes JMP 5AF628C0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtOpenSemaphore 76ED5940 5 Bytes JMP 5AF62900 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtResumeThread 76ED6010 5 Bytes JMP 5AF62780 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!NtWriteVirtualMemory 76ED6600 5 Bytes JMP 5AF62420 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5600] ntdll.dll!RtlDecompressBuffer 76F456BD 5 Bytes JMP 5AF629B0 C:\Program Files\AVG\Av\avghookx.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?kwi ?15 ?16, 06:30:57??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 14541 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@6C775D6A 1086 ---- EOF - GMER 2.2 ----