GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-20 16:58:11 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000059 ST500DM0 rev.KC45 465,76GB Running: 143tsp9l.exe; Driver: C:\Users\pawel\AppData\Local\Temp\awddrkog.sys ---- System - GMER 2.2 ---- SSDT 8EEA8C56 ZwCreateSection SSDT 8EEA8C2E ZwCreateSymbolicLinkObject SSDT 8EEA8C33 ZwLoadDriver SSDT 8EEA8C29 ZwOpenSection SSDT 8EEA8C60 ZwRequestWaitReplyPort SSDT 8EEA8C5B ZwSetContextThread SSDT 8EEA8C65 ZwSetSecurityObject SSDT 8EEA8C38 ZwSetSystemInformation SSDT 8EEA8C6A ZwSystemDebugControl SSDT 8EEA8BF7 ZwTerminateProcess SSDT 8EEA8BF2 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 82C86B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC0BF2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82CC80CC 4 Bytes [56, 8C, EA, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11FF 82CC80D4 4 Bytes [2E, 8C, EA, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82CC81E8 4 Bytes [33, 8C, EA, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 82CC8284 4 Bytes [29, 8C, EA, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 82CC8428 4 Bytes [60, 8C, EA, 8E] .text ... ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\Windows\system32\apphelp.dll ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{E7BBF11A-37E7-11E3-86BA-806E6F6E6963} 14159079944 ---- EOF - GMER 2.2 ----