Gmer 1.0.13 released.

Some results:

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F73EE1DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F73EE1DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F73EE454] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F73EE1DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F73E1F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F73E1F4C] fltMgr.sys

What do these results mean? :wacko:

If you want to analyze logs, you might want try eg Rootkit Revealer Forum.
I just wish, that GMER will be Vista compatibile soon, well still waiting for it.

Hello

-{ Quote: "What do these results mean? :wacko:" }-

It means that fltMgr.sys traces \FileSystem\Fastfat device.
fltMgr.sys is "Microsoft Filesystem Filter Manager" so it should be whitelisted .

It's an old technique used in i.e sysbus32.sys

-{ Quote: "---- System - GMER 1.0.13 ----

SSDT FFB66820 ZwEnumerateKey

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE FFB67D28
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL FFB67B80

---- Modules - GMER 1.0.13 ----

Module \SystemRoot\System32\DRIVERS\sysbus32.sys (*** hidden *** ) FC9A8000-FC9AC000 (16384 bytes) " }-
-{ Quote: "I just wish, that GMER will be Vista compatibile soon, well still waiting for it." }-
Did you try version 1.0.13 on VISTA x86 ?

-{ Quote: "Did you try version 1.0.13 on VISTA x86 ?" }-
Yes, I tried all new versions in this year, and I had the same problem all the time.
When I start scanning, Vista will freeze in about 1-2 minutes, so I have to reset it.

-{ Quote: "It means that fltMgr.sys traces \FileSystem\Fastfat device.
fltMgr.sys is "Microsoft Filesystem Filter Manager" so it should be whitelisted .

It's an old technique used in i.e sysbus32.sys
" }-

Hi Gmer, glad to see you back, here are some interesting results and I guess your tool is able to detect things that some other guys don´t think so:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-05 07:08:22
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

INT 0x00 ? F68A8B60
INT 0x01 ? F68A8B68
INT 0x02 ? F68A8FD0
INT 0x03 ? F68A8B78
INT 0x04 ? F68A8B80
INT 0x05 ? F68A8B88
INT 0x06 ? F68A8B90
INT 0x07 ? F68A8B98
INT 0x09 ? F68A8BA8
INT 0x0A ? F68A8BB0
INT 0x0B ? F68A8BB8
INT 0x0C ? F68A8BC0
INT 0x0D ? F68A8BC8
INT 0x0E ? F68A8BD0
INT 0x10 ? F68A8BE0
INT 0x11 ? F68A8BE8
INT 0x12 ? F68A9950
INT 0x13 ? F68A8BF8
INT 0x20 ? F68A90C0
INT 0x21 ? F68A90C8
INT 0x22 ? F68A90D0
INT 0x23 ? F68A90D8
INT 0x24 ? F68A90E0
INT 0x25 ? F68A90E8
INT 0x26 ? F68A90F0
INT 0x27 ? F68A90F8
INT 0x28 ? F68A9100
INT 0x29 ? F68A9108
INT 0x2A ? F68A9110
INT 0x2B ? F68A9118
INT 0x2C ? F68A9120
INT 0x2D ? F68A9128
INT 0x2E ? F66A8F10
INT 0x2F ? F68A9138
INT 0x30 ? F68A9140
INT 0x31 ? F68A9148
INT 0x32 ? F68A9150
INT 0x33 ? F68A9158
INT 0x34 ? F68A9160
INT 0x35 ? F68A9168
INT 0x36 ? F68A9170
INT 0x37 ? F68A9178
INT 0x38 ? F68A9180
INT 0x39 ? F68A9188
INT 0x3A ? F68A9190
INT 0x3B ? F68A9198
INT 0x3C ? F68A91A0
INT 0x3D ? F68A91A8
INT 0x3E ? F68A91B0
INT 0x3F ? F68A91B8
INT 0x40 ? F68A91C0
INT 0x41 ? F68A91C8
INT 0x42 ? F68A91D0
INT 0x43 ? F68A91D8
INT 0x44 ? F68A91E0
INT 0x45 ? F68A91E8
INT 0x46 ? F68A91F0
INT 0x47 ? F68A91F8
INT 0x48 ? F68A9200
INT 0x49 ? F68A9208
INT 0x4A ? F68A9210
INT 0x4B ? F68A9218
INT 0x4C ? F68A9220
INT 0x4D ? F68A9228
INT 0x4E ? F68A9230
INT 0x4F ? F68A9238
INT 0x50 ? F68A9240
INT 0x51 ? F68A9248
INT 0x52 ? F68A9250
INT 0x53 ? F68A9258
INT 0x54 ? F68A9260
INT 0x55 ? F68A9268
INT 0x56 ? F68A9270
INT 0x57 ? F68A9278
INT 0x58 ? F68A9280
INT 0x59 ? F68A9288
INT 0x5A ? F68A9290
INT 0x5B ? F68A9298
INT 0x5C ? F68A92A0
INT 0x5D ? F68A92A8
INT 0x5E ? F68A92B0
INT 0x5F ? F68A92B8
INT 0x60 ? F68A92C0
INT 0x61 ? F68A92C8
INT 0x62 ? F68A92D0
INT 0x63 ? F68A92D8
INT 0x64 ? F68A92E0
INT 0x65 ? F68A92E8
INT 0x66 ? F68A92F0
INT 0x67 ? F68A92F8
INT 0x68 ? F68A9300
INT 0x69 ? F68A9308
INT 0x6A ? F68A9310
INT 0x6B ? F68A9318
INT 0x6C ? F68A9320
INT 0x6D ? F68A9328
INT 0x6E ? F68A9330
INT 0x6F ? F68A9338
INT 0x70 ? F68A9340
INT 0x71 ? F68A9348
INT 0x72 ? F68A9350
INT 0x73 ? F68A9358
INT 0x74 ? F68A9360
INT 0x75 ? F68A9368
INT 0x76 ? F68A9370
INT 0x77 ? F68A9378
INT 0x78 ? F68A9380
INT 0x79 ? F68A9388
INT 0x7A ? F68A9390
INT 0x7B ? F68A9398
INT 0x7C ? F68A93A0
INT 0x7D ? F68A93A8
INT 0x7E ? F68A93B0
INT 0x7F ? F68A93B8
INT 0x80 ? F68A93C0
INT 0x81 ? F68A93C8
INT 0x82 ? F68A93D0
INT 0x83 ? F68A93D8
INT 0x84 ? F68A93E0
INT 0x85 ? F68A93E8
INT 0x86 ? F68A93F0
INT 0x87 ? F68A93F8
INT 0x88 ? F68A9400
INT 0x89 ? F68A9408
INT 0x8A ? F68A9410
INT 0x8B ? F68A9418
INT 0x8C ? F68A9420
INT 0x8D ? F68A9428
INT 0x8E ? F68A9430
INT 0x8F ? F68A9438
INT 0x90 ? F68A9440
INT 0x91 ? F68A9448
INT 0x92 ? F68A9450
INT 0x93 ? F68A9458
INT 0x94 ? F68A9460
INT 0x95 ? F68A9468
INT 0x96 ? F68A9470
INT 0x97 ? F68A9478
INT 0x98 ? F68A9480
INT 0x99 ? F68A9488
INT 0x9A ? F68A9490
INT 0x9B ? F68A9498
INT 0x9C ? F68A94A0
INT 0x9D ? F68A94A8
INT 0x9E ? F68A94B0
INT 0x9F ? F68A94B8
INT 0xA0 ? F68A94C0
INT 0xA1 ? F68A94C8
INT 0xA2 ? F68A94D0
INT 0xA3 ? F68A94D8
INT 0xA4 ? F68A94E0
INT 0xA5 ? F68A94E8
INT 0xA6 ? F68A94F0
INT 0xA7 ? F68A94F8
INT 0xA8 ? F68A9500
INT 0xA9 ? F68A9508
INT 0xAA ? F68A9510
INT 0xAB ? F68A9518
INT 0xAC ? F68A9520
INT 0xAD ? F68A9528
INT 0xAE ? F68A9530
INT 0xAF ? F68A9538
INT 0xB0 ? F68A9540
INT 0xB1 ? F68A9548
INT 0xB2 ? F68A9550
INT 0xB3 ? F68A9558
INT 0xB4 ? F68A9560
INT 0xB5 ? F68A9568
INT 0xB6 ? F68A9570
INT 0xB7 ? F68A9578
INT 0xB8 ? F68A9580
INT 0xB9 ? F68A9588
INT 0xBA ? F68A9590
INT 0xBB ? F68A9598
INT 0xBC ? F68A95A0
INT 0xBD ? F68A95A8
INT 0xBE ? F68A95B0
INT 0xBF ? F68A95B8
INT 0xC0 ? F68A95C0
INT 0xC1 ? F68A95C8
INT 0xC2 ? F68A95D0
INT 0xC3 ? F68A95D8
INT 0xC4 ? F68A95E0
INT 0xC5 ? F68A95E8
INT 0xC6 ? F68A95F0
INT 0xC7 ? F68A95F8
INT 0xC8 ? F68A9600
INT 0xC9 ? F68A9608
INT 0xCA ? F68A9610
INT 0xCB ? F68A9618
INT 0xCC ? F68A9620
INT 0xCD ? F68A9628
INT 0xCE ? F68A9630
INT 0xCF ? F68A9638
INT 0xD0 ? F68A9640
INT 0xD1 ? F68A9648
INT 0xD2 ? F68A9650
INT 0xD3 ? F68A9658
INT 0xD4 ? F68A9660
INT 0xD5 ? F68A9668
INT 0xD6 ? F68A9670
INT 0xD7 ? F68A9678
INT 0xD8 ? F68A9680
INT 0xD9 ? F68A9688
INT 0xDA ? F68A9690
INT 0xDB ? F68A9698
INT 0xDC ? F68A96A0
INT 0xDD ? F68A96A8
INT 0xDE ? F68A96B0
INT 0xDF ? F68A96B8
INT 0xE0 ? F68A96C0
INT 0xE1 ? F68A96C8
INT 0xE2 ? F68A96D0
INT 0xE3 ? F68A96D8
INT 0xE4 ? F68A96E0
INT 0xE5 ? F68A96E8
INT 0xE6 ? F68A96F0
INT 0xE7 ? F68A96F8
INT 0xE8 ? F68A9700
INT 0xE9 ? F68A9708
INT 0xEA ? F68A9710
INT 0xEB ? F68A9718
INT 0xEC ? F68A9720
INT 0xED ? F68A9728
INT 0xEE ? F68A9730
INT 0xEF ? F68A9738
INT 0xF0 ? F68A9740
INT 0xF1 ? F68A9748
INT 0xF2 ? F68A9750
INT 0xF3 ? F68A9758
INT 0xF4 ? F68A9760
INT 0xF5 ? F68A9768
INT 0xF6 ? F68A9770
INT 0xF7 ? F68A9778
INT 0xF8 ? F68A9780
INT 0xF9 ? F68A9788
INT 0xFA ? F68A9790
INT 0xFB ? F68A9798
INT 0xFC ? F68A97A0
INT 0xFD ? F68A97A8
INT 0xFE ? F68A97B0
INT 0xFF ? F68A97B8

Code F668F2D3 Kei386EoiHelper

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!ObfDereferenceObject 804D9190 7 Bytes [ B8, 44, 88, AC, F7, FF, E0 ]
.text ntoskrnl.exe!ExAcquireResourceSharedLite + 10 804D9545 5 Bytes JMP F668E6A0
.text ntoskrnl.exe!ExReleaseResourceLite + B 804DBBDB 5 Bytes JMP F668D310
.text ntoskrnl.exe!KiDispatchInterrupt + E6 804DBEE9 5 Bytes JMP F668CEE8
.text ntoskrnl.exe!KiDispatchInterrupt + 410 804DC213 5 Bytes JMP F668C280
.text ntoskrnl.exe!KiDispatchInterrupt + 429 804DC22C 5 Bytes JMP F668F220
.text ntoskrnl.exe!ZwYieldExecution + BA7 804DF07C 5 Bytes JMP F668C338
.text ntoskrnl.exe!Kei386EoiHelper 804DF8FB 5 Bytes JMP F668F2D8
.text ntoskrnl.exe!Kei386EoiHelper + 40 804DF93B 1 Byte [ CC ]
.text ntoskrnl.exe!Kei386EoiHelper + 1DB3 804E16AE 1 Byte [ CC ]
.text ntoskrnl.exe!Kei386EoiHelper + 1FD9 804E18D4 5 Bytes JMP F669E8A0
.text ntoskrnl.exe!KiCoprocessorError + 29 804E2825 5 Bytes JMP F668F070
.text ntoskrnl.exe!_abnormal_termination + 518 804E31E9 5 Bytes JMP F66D2620
.text ntoskrnl.exe!_abnormal_termination + 60B 804E32DC 5 Bytes JMP F668E548
.text ntoskrnl.exe!ZwCallbackReturn + 3B 804E337B 5 Bytes JMP F66D27C8
.text ntoskrnl.exe!ExfInterlockedAddUlong + 1 804E34A3 5 Bytes JMP F66D1878
.text ntoskrnl.exe!ExfInterlockedRemoveHeadList + 1 804E34F2 5 Bytes JMP F66CA500
.text ntoskrnl.exe!ExAcquireResourceExclusiveLite + F 804E3B54 1 Byte [ CC ]
.text ntoskrnl.exe!KeInitializeDpc + 110 804E6106 1 Byte [ CC ]
.text ntoskrnl.exe!KeInitializeDpc + 117 804E610D 1 Byte [ CC ]
.text ntoskrnl.exe!KeInitializeDpc + 11E 804E6114 1 Byte [ CC ]
.text ntoskrnl.exe!KeInitializeDpc + 125 804E611B 1 Byte [ CC ]
.text ntoskrnl.exe!KeRestoreFloatingPointState + 4F 804ECDAE 5 Bytes JMP F66D2418
.text ntoskrnl.exe!KeSaveFloatingPointState + 52 804ECE88 5 Bytes JMP F66D2158
.text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + 551 804EF1DC 5 Bytes JMP F66C7E68
.text ntoskrnl.exe!ExAcquireSharedStarveExclusive + F 804F0C78 1 Byte [ CC ]
.text ntoskrnl.exe!ExSetResourceOwnerPointer + C 804F0E29 5 Bytes JMP F66C3928
.text ntoskrnl.exe!FsRtlGetNextLargeMcbEntry + 125 804F1570 5 Bytes JMP F668D868
.text ntoskrnl.exe!IoPageRead + AED 804FBC61 5 Bytes JMP F668EBB8
.text ntoskrnl.exe!IoPageRead + B57 804FBCCB 1 Byte [ CC ]
.text ntoskrnl.exe!IoPageRead + BBB 804FBD2F 5 Bytes JMP F668EF30
.text ntoskrnl.exe!KeRemoveQueueDpc + 6 804FD0AE 5 Bytes JMP F66D2970
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 76E 8051105C 5 Bytes JMP F66D1FF8
.text ntoskrnl.exe!PoSetSystemState + F7D4 80527D8F 1 Byte [ CC ]
.text ntoskrnl.exe!KeSaveStateForHibernate + 8B3 80534DA4 1 Byte [ CC ]
PAGE ntoskrnl.exe!ObInsertObject 805648A3 7 Bytes [ B8, E4, 86, AC, F7, FF, E0 ]
PAGE ntoskrnl.exe!ObCreateObject 80564DCE 7 Bytes [ B8, 12, 82, AC, F7, FF, E0 ]
PAGE ntoskrnl.exe!MmMapViewOfSection 80573B01 7 Bytes [ B8, D0, 82, AC, F7, FF, E0 ]

SYSENTER/Int 2E, Type: System Call at address 0x00000000 hook handler located in [0x00000000 - [?_empty_?]

Should that be a new variant or either fp?

Maybe it´s the story that EP has talked about.
This empty is a modified copy of dxgthk.sys (directx), maybe hooking into atapi, I am not sure.
I always wonder about this dump_atapi.sys, it may be usual, but why is there atapi.sys and dump_atapi.sys,
wouldn´t it be enough if there were only atapi.sys?

Some other interesting log:

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + D7 804E2DA8 24 Bytes [ 79, 28, 5D, F8, 83, 28, 5D, ... ]
.text ntoskrnl.exe!_abnormal_termination + F3 804E2DC4 6 Bytes [ B5, 28, 5D, F8, BF, 28 ]
.text ntoskrnl.exe!_abnormal_termination + FA 804E2DCB 9 Bytes [ F8, C9, 28, 5D, F8, D3, 28, ... ]
.text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ DD, 28, 5D, F8, E7, 28, 5D, ... ]
.text ntoskrnl.exe!_abnormal_termination + 117 804E2DE8 18 Bytes [ FB, 28, 5D, F8, 05, 29, 5D, ... ]
.text ...

Probably fp´s.

@SystemJunkie


INT 0x00 ? F68A8B60
INT 0x01 ? F68A8B68
...
INT 0x03 ? F68A8B78
...
INT 0xFF ? F68A97B8


Where did you find it ? Looks like total Interrupt Descriptor Table hook ? You can also check it with IceSword:
Menu -> Dump -> GDT/IDT & look into IDT.log file.

These "1 Byte [ CC ]" - INT 0x03 hooks looks interesting, and I wonder if INT 0x01 also plays in this team :)

-{ Quote: "I always wonder about this dump_atapi.sys, it may be usual, but why is there atapi.sys and dump_atapi.sys,
wouldn´t it be enough if there were only atapi.sys?
" }-

http://msdn2.microsoft.com/En-US/library/aa508892.aspx

-{ Quote: "Where did you find it ? Looks like total Interrupt Descriptor Table hook ? You can also check it with IceSword:
Menu -> Dump -> GDT/IDT & look into IDT.log file.

These "1 Byte [ CC ]" - INT 0x03 hooks looks interesting, and I wonder if INT 0x01 also plays in this team " }-

It´s from inside a virtual machine I installed some days ago. Seems either the intruders forgot to immunise their rootkit against this vm or it is a false positive. But I think it is first option, beside thanks for the link.
Do you think this is the way a usual system works? (The Black Ice Indicator)
http://i9.tinypic.com/62fo7et.png
Actually IceSword fails to work inside this vm. Beside this Black Ice story is as old as the moon is.
(nearly 10 years) Seems really that we have to step deep inside the matrix to beat the matrix.

This is unusual IDT fragment from a actual system (not the one from the vm log above):

032 0008:00000000 0 00 N
033 00C7:000004E6 7 03 P
034 0008:00000000 0 00 N
035 0008:00000000 0 00 N
036 0008:00000000 0 00 N
037 0008:00000000 0 00 N
038 0008:00000000 0 00 N
039 0008:00000000 0 00 N
040 0008:00000000 0 00 N
041 0008:00000000 0 00 N
042 0008:80540C1E E 03 P

But EP told me that this is a false positive of IceSword, I really don´t know.

Icesword always creates a 2nd random driver, probably usual, but dazzling
"\SystemRoot\System32\Drivers\aflvzw.sys" / KeBugCheckEx

I tested another app that checks autoruns, trying to remove different entries again comes: Not admin log in as admin, but I am in admin mode, process monitor shows this: "26","<unknown>","0x1","0x1",""

Unknown at 0x1 that´s the beast.

If it would be possible I'd like to see "Kernel Memory Dump" ( %SystemRoot%\MEMORY.DMP ) , go to "Setup and Recovery" -> "System failure" settings & generate BSOD.

Do you mean system properties?

Here is another computer IDT, I assume it is infected with the same (restricted rights in admin mode). (VM actually crashed I will try to reinstall it)

IDT Base:0x8003F400 , IDT Limit:0x7FF
Index Selector:Offset Type DPL P bit
000 0008:804DFBFF E 00 P
001 0008:804DFD7C E 00 P
002 0058:0000112E 5 00 P
003 0008:804E015B E 03 P
004 0008:804E02E0 E 03 P
005 0008:804E0441 E 00 P
006 0008:804E05BF E 00 P
007 0008:804E0C33 E 00 P
008 0050:00001188 5 00 P
009 0008:804E1060 E 00 P
010 0008:804E1185 E 00 P
011 0008:804E12CA E 00 P
012 0008:804E1530 E 00 P
013 0008:804E1827 E 00 P
014 0008:804E1F25 E 00 P
015 0008:804E225A E 00 P
016 0008:804E237F E 00 P
017 0008:804E24BD E 00 P
018 00A0:804E225A 5 00 P
019 0008:804E262B E 00 P
020 0008:804E225A E 00 P
021 0008:804E225A E 00 P
022 0008:804E225A E 00 P
023 0008:804E225A E 00 P
024 0008:804E225A E 00 P
025 0008:804E225A E 00 P
026 0008:804E225A E 00 P
027 0008:804E225A E 00 P
028 0008:804E225A E 00 P
029 0008:804E225A E 00 P
030 0008:804E225A E 00 P
031 0008:804E225A E 00 P
032 0008:00000000 0 00 N
033 0008:00000000 0 00 N
034 0008:00000000 0 00 N
035 0008:00000000 0 00 N
036 0008:00000000 0 00 N
037 0008:00000000 0 00 N
038 0008:00000000 0 00 N
039 0008:00000000 0 00 N
040 0008:00000000 0 00 N
041 0008:00000000 0 00 N
042 0008:804DF417 E 03 P
043 0008:804DF522 E 03 P
044 0008:804DF6C7 E 03 P
045 0008:804E0032 E 03 P
046 0008:804DEEA6 E 03 P
047 0008:804E225A E 00 P
048 0008:806F3D50 E 00 P
049 0008:82CF5DD4 E 00 P
050 0008:804DE574 E 00 P
051 0008:82DDACD4 E 00 P
052 0008:82B83DD4 E 00 P
053 0008:82CE36B4 E 00 P
054 0008:804DE59C E 00 P
055 0008:804DE5A6 E 00 P
056 0008:806EDEF0 E 00 P
057 0008:82FA68DC E 00 P
058 0008:82CFFDD4 E 00 P
059 0008:82EA0BC4 E 00 P
060 0008:804DE5D8 E 00 P
061 0008:804DE5E2 E 00 P
062 0008:82F924DC E 00 P
063 0008:82B9F044 E 00 P
064 0008:804DE600 E 00 P
065 0008:804DE60A E 00 P
066 0008:804DE614 E 00 P
067 0008:804DE61E E 00 P
068 0008:804DE628 E 00 P
069 0008:804DE632 E 00 P
070 0008:804DE63C E 00 P
071 0008:804DE646 E 00 P
072 0008:804DE650 E 00 P
073 0008:804DE65A E 00 P
074 0008:804DE664 E 00 P
075 0008:804DE66E E 00 P
076 0008:804DE678 E 00 P
077 0008:804DE682 E 00 P
078 0008:804DE68C E 00 P
079 0008:804DE696 E 00 P
080 0008:804DE6A0 E 00 P
081 0008:804DE6AA E 00 P
082 0008:804DE6B4 E 00 P
083 0008:804DE6BE E 00 P
084 0008:804DE6C8 E 00 P
085 0008:804DE6D2 E 00 P
086 0008:804DE6DC E 00 P
087 0008:804DE6E6 E 00 P
088 0008:804DE6F0 E 00 P
089 0008:804DE6FA E 00 P
090 0008:804DE704 E 00 P
091 0008:804DE70E E 00 P
092 0008:804DE718 E 00 P
093 0008:804DE722 E 00 P
094 0008:804DE72C E 00 P
095 0008:804DE736 E 00 P
096 0008:804DE740 E 00 P
097 0008:804DE74A E 00 P
098 0008:804DE754 E 00 P
099 0008:804DE75E E 00 P
100 0008:804DE768 E 00 P
101 0008:804DE772 E 00 P
102 0008:804DE77C E 00 P
103 0008:804DE786 E 00 P
104 0008:804DE790 E 00 P
105 0008:804DE79A E 00 P
106 0008:804DE7A4 E 00 P
107 0008:804DE7AE E 00 P
108 0008:804DE7B8 E 00 P
109 0008:804DE7C2 E 00 P
110 0008:804DE7CC E 00 P
111 0008:804DE7D6 E 00 P
112 0008:804DE7E0 E 00 P
113 0008:804DE7EA E 00 P
114 0008:804DE7F4 E 00 P
115 0008:804DE7FE E 00 P
116 0008:804DE808 E 00 P
117 0008:804DE812 E 00 P
118 0008:804DE81C E 00 P
119 0008:804DE826 E 00 P
120 0008:804DE830 E 00 P
121 0008:804DE83A E 00 P
122 0008:804DE844 E 00 P
123 0008:804DE84E E 00 P
124 0008:804DE858 E 00 P
125 0008:804DE862 E 00 P
126 0008:804DE86C E 00 P
127 0008:804DE876 E 00 P
128 0008:804DE880 E 00 P
129 0008:804DE88A E 00 P
130 0008:804DE894 E 00 P
131 0008:804DE89E E 00 P
132 0008:804DE8A8 E 00 P
133 0008:804DE8B2 E 00 P
134 0008:804DE8BC E 00 P
135 0008:804DE8C6 E 00 P
136 0008:804DE8D0 E 00 P
137 0008:804DE8DA E 00 P
138 0008:804DE8E4 E 00 P
139 0008:804DE8EE E 00 P
140 0008:804DE8F8 E 00 P
141 0008:804DE902 E 00 P
142 0008:804DE90C E 00 P
143 0008:804DE916 E 00 P
144 0008:804DE920 E 00 P
145 0008:804DE92A E 00 P
146 0008:804DE934 E 00 P
147 0008:804DE93E E 00 P
148 0008:804DE948 E 00 P
149 0008:804DE952 E 00 P
150 0008:804DE95C E 00 P
151 0008:804DE966 E 00 P
152 0008:804DE970 E 00 P
153 0008:804DE97A E 00 P
154 0008:804DE984 E 00 P
155 0008:804DE98E E 00 P
156 0008:804DE998 E 00 P
157 0008:804DE9A2 E 00 P
158 0008:804DE9AC E 00 P
159 0008:804DE9B6 E 00 P
160 0008:804DE9C0 E 00 P
161 0008:804DE9CA E 00 P
162 0008:804DE9D4 E 00 P
163 0008:804DE9DE E 00 P
164 0008:804DE9E8 E 00 P
165 0008:804DE9F2 E 00 P
166 0008:804DE9FC E 00 P
167 0008:804DEA06 E 00 P
168 0008:804DEA10 E 00 P
169 0008:804DEA1A E 00 P
170 0008:804DEA24 E 00 P
171 0008:804DEA2E E 00 P
172 0008:804DEA38 E 00 P
173 0008:804DEA42 E 00 P
174 0008:804DEA4C E 00 P
175 0008:804DEA56 E 00 P
176 0008:804DEA60 E 00 P
177 0008:804DEA6A E 00 P
178 0008:804DEA74 E 00 P
179 0008:804DEA7E E 00 P
180 0008:804DEA88 E 00 P
181 0008:804DEA92 E 00 P
182 0008:804DEA9C E 00 P
183 0008:804DEAA6 E 00 P
184 0008:804DEAB0 E 00 P
185 0008:804DEABA E 00 P
186 0008:804DEAC4 E 00 P
187 0008:804DEACE E 00 P
188 0008:804DEAD8 E 00 P
189 0008:804DEAE2 E 00 P
190 0008:804DEAEC E 00 P
191 0008:804DEAF6 E 00 P
192 0008:804DEB00 E 00 P
193 0008:804DEB0A E 00 P
194 0008:804DEB14 E 00 P
195 0008:804DEB1E E 00 P
196 0008:804DEB28 E 00 P
197 0008:804DEB32 E 00 P
198 0008:804DEB3C E 00 P
199 0008:804DEB46 E 00 P
200 0008:804DEB50 E 00 P
201 0008:804DEB5A E 00 P
202 0008:804DEB64 E 00 P
203 0008:804DEB6E E 00 P
204 0008:804DEB78 E 00 P
205 0008:804DEB82 E 00 P
206 0008:804DEB8C E 00 P
207 0008:804DEB96 E 00 P
208 0008:804DEBA0 E 00 P
209 0008:804DEBAA E 00 P
210 0008:804DEBB4 E 00 P
211 0008:804DEBBE E 00 P
212 0008:804DEBC8 E 00 P
213 0008:804DEBD2 E 00 P
214 0008:804DEBDC E 00 P
215 0008:804DEBE6 E 00 P
216 0008:804DEBF0 E 00 P
217 0008:804DEBFA E 00 P
218 0008:804DEC04 E 00 P
219 0008:804DEC0E E 00 P
220 0008:804DEC18 E 00 P
221 0008:804DEC22 E 00 P
222 0008:804DEC2C E 00 P
223 0008:804DEC36 E 00 P
224 0008:804DEC40 E 00 P
225 0008:804DEC4A E 00 P
226 0008:804DEC54 E 00 P
227 0008:804DEC5E E 00 P
228 0008:804DEC68 E 00 P
229 0008:804DEC72 E 00 P
230 0008:804DEC7C E 00 P
231 0008:804DEC86 E 00 P
232 0008:804DEC90 E 00 P
233 0008:804DEC9A E 00 P
234 0008:804DECA4 E 00 P
235 0008:804DECAE E 00 P
236 0008:804DECB8 E 00 P
237 0008:804DECC2 E 00 P
238 0008:804DECC9 E 00 P
239 0008:804DECD0 E 00 P
240 0008:804DECD7 E 00 P
241 0008:804DECDE E 00 P
242 0008:804DECE5 E 00 P
243 0008:804DECEC E 00 P
244 0008:804DECF3 E 00 P
245 0008:804DECFA E 00 P
246 0008:804DED01 E 00 P
247 0008:804DED08 E 00 P
248 0008:804DED0F E 00 P
249 0008:804DED16 E 00 P
250 0008:804DED1D E 00 P
251 0008:804DED24 E 00 P
252 0008:804DED2B E 00 P
253 0008:804DED32 E 00 P
254 0008:804DED39 E 00 P
255 0008:804DED40 E 00 P

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + D7 804E2DA8 24 Bytes [ 79, 28, 5D, F8, 83, 28, 5D, ... ]
.text ntoskrnl.exe!_abnormal_termination + F3 804E2DC4 6 Bytes [ CE, 17, A5, F8, BF, 28 ]
.text ntoskrnl.exe!_abnormal_termination + FA 804E2DCB 9 Bytes [ F8, C9, 28, 5D, F8, D3, 28, ... ]
.text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ DD, 28, 5D, F8, E7, 28, 5D, ... ]
.text ntoskrnl.exe!_abnormal_termination + 117 804E2DE8 18 Bytes [ FB, 28, 5D, F8, 05, 29, 5D, ... ]
.text ...
PAGE ntoskrnl.exe!NtOpenProcess 8057459E 5 Bytes JMP F1A1859C \SystemRoot\System32\Drivers\IsDrv120.sys
PAGE ntoskrnl.exe!ZwTerminateThread 8057E97C 5 Bytes JMP F1A18522 \SystemRoot\System32\Drivers\IsDrv120.sys
PAGE ntoskrnl.exe!ZwCreateThread 8057F262 5 Bytes JMP F1A189B6 \SystemRoot\System32\Drivers\IsDrv120.sys
PAGE ntoskrnl.exe!ZwCreateProcessEx 805885D3 5 Bytes JMP F1A18814 \SystemRoot\System32\Drivers\IsDrv120.sys
PAGE ntoskrnl.exe!ZwTerminateProcess 8058AE1E 5 Bytes JMP F1A18374 \SystemRoot\System32\Drivers\IsDrv120.sys
PAGE ntoskrnl.exe!NtOpenThread 80597C0A 5 Bytes JMP F1A18626 \SystemRoot\System32\Drivers\IsDrv120.sys
? C:\WINDOWS\system32\drivers\SnopFree.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
? System32\Drivers\IsDrv122.sys Das System kann die angegebene Datei nicht finden.
? C:\WINDOWS\system32\Drivers\PROCMON11.SYS Das System kann die angegebene Datei nicht finden.
? System32\Drivers\rkhdrv40.SYS Das System kann die angegebene Datei nicht finden.
? System32\Drivers\IsDrv120.sys Das System kann die angegebene Datei nicht finden.

I tested the other app that checks autoruns, trying to remove different entries again comes: Not admin log in as admin, but I am in admin mode, process monitor shows again: <unknown>","0x1","0x1",""

http://i12.tinypic.com/4vo77lx.png

Try this ...

-{ Quote: "Forcing a System Crash from the Keyboard
A system crash can be directly caused from most non-USB keyboards.

Two preparations must be made before this can be done:

If you wish a crash dump file to be written, you must enable such dump files, choose the path and file name, and select the size of the dump file. For details, see Enabling a Kernel-Mode Dump File.
You must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a value named CrashOnCtrlScroll, and set it equal to REG_DWORD 0x1 (or any nonzero value).

The system must be rebooted before these changes will take effect.

After this has been done, the keyboard crash can be initiated as follows. Hold down the rightmost CTRL key, and press the SCROLL LOCK key twice.

It is possible for a system to freeze in such a way that this CTRL+SCROLL LOCK+SCROLL LOCK sequence will not work. However, this should be a very rare occurrence. The CTRL+SCROLL LOCK+SCROLL LOCK crash initiation will work even in many instances where CTRL+ALT+DELETE does not work.

The system then calls KeBugCheck and issues bug check 0xE2 (MANUALLY_INITIATED_CRASH). Unless crash dumps have been disabled, a crash dump file is written at this point.

If a kernel debugger is attached to the frozen machine, the machine will break into the kernel debugger after the crash dump file has been written." }-

That´s the IDT from inside the VM (the INT 0x.. ? system):

IDT Base:0xF780F090 , IDT Limit:0x7FF
Index Selector:Offset Type DPL P bit
000 FFF8:F7CEAB60 E 00 P
001 FFF8:F7CEAB68 E 00 P
002 FFF8:F7CEAFD0 E 00 P
003 FFF8:F7CEAB78 E 03 P
004 FFF8:F7CEAB80 E 00 P
005 FFF8:F7CEAB88 E 00 P
006 FFF8:F7CEAB90 E 00 P
007 FFF8:F7CEAB98 E 00 P
008 FFD8:00000000 5 00 P
009 FFF8:F7CEABA8 E 00 P
010 FFF8:F7CEABB0 E 00 P
011 FFF8:F7CEABB8 E 00 P
012 FFF8:F7CEABC0 E 00 P
013 FFF8:F7CEABC8 E 00 P
014 FFF8:F7CEABD0 E 00 P
015 0000:00000000 0 00 N
016 FFF8:F7CEABE0 E 00 P
017 FFF8:F7CEABE8 E 00 P
018 FFF8:F7CEB950 E 00 P
019 FFF8:F7CEABF8 E 00 P
020 0000:00000000 0 00 N
021 0000:00000000 0 00 N
022 0000:00000000 0 00 N
023 0000:00000000 0 00 N
024 0000:00000000 0 00 N
025 0000:00000000 0 00 N
026 0000:00000000 0 00 N
027 0000:00000000 0 00 N
028 0000:00000000 0 00 N
029 0000:00000000 0 00 N
030 0000:00000000 0 00 N
031 0000:00000000 0 00 N
032 FFF8:F7CEB0C0 E 00 P
033 FFF8:F7CEB0C8 E 00 P
034 FFF8:F7CEB0D0 E 00 P
035 FFF8:F7CEB0D8 E 00 P
036 FFF8:F7CEB0E0 E 00 P
037 FFF8:F7CEB0E8 E 00 P
038 FFF8:F7CEB0F0 E 00 P
039 FFF8:F7CEB0F8 E 00 P
040 FFF8:F7CEB100 E 00 P
041 FFF8:F7CEB108 E 00 P
042 FFF8:F7CEB110 E 00 P
043 FFF8:F7CEB118 E 00 P
044 FFF8:F7CEB120 E 00 P
045 FFF8:F7CEB128 E 00 P
046 FFF8:F7CEB130 E 00 P
047 FFF8:F7CEB138 E 00 P
048 FFF8:F7CEB140 E 00 P
049 FFF8:F7CEB148 E 00 P
050 FFF8:F7CEB150 E 00 P
051 FFF8:F7CEB158 E 00 P
052 FFF8:F7CEB160 E 00 P
053 FFF8:F7CEB168 E 00 P
054 FFF8:F7CEB170 E 00 P
055 FFF8:F7CEB178 E 00 P
056 FFF8:F7CEB180 E 00 P
057 FFF8:F7CEB188 E 00 P
058 FFF8:F7CEB190 E 00 P
059 FFF8:F7CEB198 E 00 P
060 FFF8:F7CEB1A0 E 00 P
061 FFF8:F7CEB1A8 E 00 P
062 FFF8:F7CEB1B0 E 00 P
063 FFF8:F7CEB1B8 E 00 P
064 FFF8:F7CEB1C0 E 00 P
065 FFF8:F7CEB1C8 E 00 P
066 FFF8:F7CEB1D0 E 00 P
067 FFF8:F7CEB1D8 E 00 P
068 FFF8:F7CEB1E0 E 00 P
069 FFF8:F7CEB1E8 E 00 P
070 FFF8:F7CEB1F0 E 00 P
071 FFF8:F7CEB1F8 E 00 P
072 FFF8:F7CEB200 E 00 P
073 FFF8:F7CEB208 E 00 P
074 FFF8:F7CEB210 E 00 P
075 FFF8:F7CEB218 E 00 P
076 FFF8:F7CEB220 E 00 P
077 FFF8:F7CEB228 E 00 P
078 FFF8:F7CEB230 E 00 P
079 FFF8:F7CEB238 E 00 P
080 FFF8:F7CEB240 E 00 P
081 FFF8:F7CEB248 E 00 P
082 FFF8:F7CEB250 E 00 P
083 FFF8:F7CEB258 E 00 P
084 FFF8:F7CEB260 E 00 P
085 FFF8:F7CEB268 E 00 P
086 FFF8:F7CEB270 E 00 P
087 FFF8:F7CEB278 E 00 P
088 FFF8:F7CEB280 E 00 P
089 FFF8:F7CEB288 E 00 P
090 FFF8:F7CEB290 E 00 P
091 FFF8:F7CEB298 E 00 P
092 FFF8:F7CEB2A0 E 00 P
093 FFF8:F7CEB2A8 E 00 P
094 FFF8:F7CEB2B0 E 00 P
095 FFF8:F7CEB2B8 E 00 P
096 FFF8:F7CEB2C0 E 00 P
097 FFF8:F7CEB2C8 E 00 P
098 FFF8:F7CEB2D0 E 00 P
099 FFF8:F7CEB2D8 E 00 P
100 FFF8:F7CEB2E0 E 00 P
101 FFF8:F7CEB2E8 E 00 P
102 FFF8:F7CEB2F0 E 00 P
103 FFF8:F7CEB2F8 E 00 P
104 FFF8:F7CEB300 E 00 P
105 FFF8:F7CEB308 E 00 P
106 FFF8:F7CEB310 E 00 P
107 FFF8:F7CEB318 E 00 P
108 FFF8:F7CEB320 E 00 P
109 FFF8:F7CEB328 E 00 P
110 FFF8:F7CEB330 E 00 P
111 FFF8:F7CEB338 E 00 P
112 FFF8:F7CEB340 E 00 P
113 FFF8:F7CEB348 E 00 P
114 FFF8:F7CEB350 E 00 P
115 FFF8:F7CEB358 E 00 P
116 FFF8:F7CEB360 E 00 P
117 FFF8:F7CEB368 E 00 P
118 FFF8:F7CEB370 E 00 P
119 FFF8:F7CEB378 E 00 P
120 FFF8:F7CEB380 E 00 P
121 FFF8:F7CEB388 E 00 P
122 FFF8:F7CEB390 E 00 P
123 FFF8:F7CEB398 E 00 P
124 FFF8:F7CEB3A0 E 00 P
125 FFF8:F7CEB3A8 E 00 P
126 FFF8:F7CEB3B0 E 00 P
127 FFF8:F7CEB3B8 E 00 P
128 FFF8:F7CEB3C0 E 00 P
129 FFF8:F7CEB3C8 E 00 P
130 FFF8:F7CEB3D0 E 00 P
131 FFF8:F7CEB3D8 E 00 P
132 FFF8:F7CEB3E0 E 00 P
133 FFF8:F7CEB3E8 E 00 P
134 FFF8:F7CEB3F0 E 00 P
135 FFF8:F7CEB3F8 E 00 P
136 FFF8:F7CEB400 E 00 P
137 FFF8:F7CEB408 E 00 P
138 FFF8:F7CEB410 E 00 P
139 FFF8:F7CEB418 E 00 P
140 FFF8:F7CEB420 E 00 P
141 FFF8:F7CEB428 E 00 P
142 FFF8:F7CEB430 E 00 P
143 FFF8:F7CEB438 E 00 P
144 FFF8:F7CEB440 E 00 P
145 FFF8:F7CEB448 E 00 P
146 FFF8:F7CEB450 E 00 P
147 FFF8:F7CEB458 E 00 P
148 FFF8:F7CEB460 E 00 P
149 FFF8:F7CEB468 E 00 P
150 FFF8:F7CEB470 E 00 P
151 FFF8:F7CEB478 E 00 P
152 FFF8:F7CEB480 E 00 P
153 FFF8:F7CEB488 E 00 P
154 FFF8:F7CEB490 E 00 P
155 FFF8:F7CEB498 E 00 P
156 FFF8:F7CEB4A0 E 00 P
157 FFF8:F7CEB4A8 E 00 P
158 FFF8:F7CEB4B0 E 00 P
159 FFF8:F7CEB4B8 E 00 P
160 FFF8:F7CEB4C0 E 00 P
161 FFF8:F7CEB4C8 E 00 P
162 FFF8:F7CEB4D0 E 00 P
163 FFF8:F7CEB4D8 E 00 P
164 FFF8:F7CEB4E0 E 00 P
165 FFF8:F7CEB4E8 E 00 P
166 FFF8:F7CEB4F0 E 00 P
167 FFF8:F7CEB4F8 E 00 P
168 FFF8:F7CEB500 E 00 P
169 FFF8:F7CEB508 E 00 P
170 FFF8:F7CEB510 E 00 P
171 FFF8:F7CEB518 E 00 P
172 FFF8:F7CEB520 E 00 P
173 FFF8:F7CEB528 E 00 P
174 FFF8:F7CEB530 E 00 P
175 FFF8:F7CEB538 E 00 P
176 FFF8:F7CEB540 E 00 P
177 FFF8:F7CEB548 E 00 P
178 FFF8:F7CEB550 E 00 P
179 FFF8:F7CEB558 E 00 P
180 FFF8:F7CEB560 E 00 P
181 FFF8:F7CEB568 E 00 P
182 FFF8:F7CEB570 E 00 P
183 FFF8:F7CEB578 E 00 P
184 FFF8:F7CEB580 E 00 P
185 FFF8:F7CEB588 E 00 P
186 FFF8:F7CEB590 E 00 P
187 FFF8:F7CEB598 E 00 P
188 FFF8:F7CEB5A0 E 00 P
189 FFF8:F7CEB5A8 E 00 P
190 FFF8:F7CEB5B0 E 00 P
191 FFF8:F7CEB5B8 E 00 P
192 FFF8:F7CEB5C0 E 00 P
193 FFF8:F7CEB5C8 E 00 P
194 FFF8:F7CEB5D0 E 00 P
195 FFF8:F7CEB5D8 E 00 P
196 FFF8:F7CEB5E0 E 00 P
197 FFF8:F7CEB5E8 E 00 P
198 FFF8:F7CEB5F0 E 00 P
199 FFF8:F7CEB5F8 E 00 P
200 FFF8:F7CEB600 E 00 P
201 FFF8:F7CEB608 E 00 P
202 FFF8:F7CEB610 E 00 P
203 FFF8:F7CEB618 E 00 P
204 FFF8:F7CEB620 E 00 P
205 FFF8:F7CEB628 E 00 P
206 FFF8:F7CEB630 E 00 P
207 FFF8:F7CEB638 E 00 P
208 FFF8:F7CEB640 E 00 P
209 FFF8:F7CEB648 E 00 P
210 FFF8:F7CEB650 E 00 P
211 FFF8:F7CEB658 E 00 P
212 FFF8:F7CEB660 E 00 P
213 FFF8:F7CEB668 E 00 P
214 FFF8:F7CEB670 E 00 P
215 FFF8:F7CEB678 E 00 P
216 FFF8:F7CEB680 E 00 P
217 FFF8:F7CEB688 E 00 P
218 FFF8:F7CEB690 E 00 P
219 FFF8:F7CEB698 E 00 P
220 FFF8:F7CEB6A0 E 00 P
221 FFF8:F7CEB6A8 E 00 P
222 FFF8:F7CEB6B0 E 00 P
223 FFF8:F7CEB6B8 E 00 P
224 FFF8:F7CEB6C0 E 00 P
225 FFF8:F7CEB6C8 E 00 P
226 FFF8:F7CEB6D0 E 00 P
227 FFF8:F7CEB6D8 E 00 P
228 FFF8:F7CEB6E0 E 00 P
229 FFF8:F7CEB6E8 E 00 P
230 FFF8:F7CEB6F0 E 00 P
231 FFF8:F7CEB6F8 E 00 P
232 FFF8:F7CEB700 E 00 P
233 FFF8:F7CEB708 E 00 P
234 FFF8:F7CEB710 E 00 P
235 FFF8:F7CEB718 E 00 P
236 FFF8:F7CEB720 E 00 P
237 FFF8:F7CEB728 E 00 P
238 FFF8:F7CEB730 E 00 P
239 FFF8:F7CEB738 E 00 P
240 FFF8:F7CEB740 E 00 P
241 FFF8:F7CEB748 E 00 P
242 FFF8:F7CEB750 E 00 P
243 FFF8:F7CEB758 E 00 P
244 FFF8:F7CEB760 E 00 P
245 FFF8:F7CEB768 E 00 P
246 FFF8:F7CEB770 E 00 P
247 FFF8:F7CEB778 E 00 P
248 FFF8:F7CEB780 E 00 P
249 FFF8:F7CEB788 E 00 P
250 FFF8:F7CEB790 E 00 P
251 FFF8:F7CEB798 E 00 P
252 FFF8:F7CEB7A0 E 00 P
253 FFF8:F7CEB7A8 E 00 P
254 FFF8:F7CEB7B0 E 00 P
255 FFF8:F7CEB7B8 E 00 P

Do you recognize something special?

-{ Quote: "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a value named CrashOnCtrlScroll, and set it equal to REG_DWORD 0x1 (or any nonzero value). " }-

Does not function in virtual machine, but I found something interesting in this Parameters key: LayerDriver JPN kbd101.dll, Layer Driver KOR kbd101a.dll.

Japan and Korea!!?????

i8042prt\Enum\0 ACPI\PNP0303\4&102163c3&0
i8042prt\Parameters\LayerDriver JPN kbd101.dll
i8042prt\Parameters\Layer Driver KOR kbd101a.dll.

But I know how to create bsod, only need to start deep monitor ;D;D;D

PM me http://www.gmer.net/contact.php & I will send you something else to generate MEMORY.DMP

Okay.

I will send you a new dump when I find the time, I then reinstall a fresh win xp in virtual machine. If you want to stay informed about new revelations and some wicked beasty screens check this link (http://forum.sysinternals.com/forum_posts.asp?TID=11089&PID=51576#51576)

@Gmer the dump has been sent to you some days ago.
Would be cool if you´d find some anomalies to implement for the next Gmer version. If so then give a sign.
Maybe VMs generally creates those anomalies, but sysenter 0000000 looks really strange.

Hello SystemJunkie

I do not see anything suspicious in your crash dump ( see attached for details ).

Maybe you could make crash dump analysis by yourself when you will find something suspicious ?

Please watch these presentations and I hope they will be useful for you .

Windows Hang and Crash Dump Analysis (http://download.microsoft.com/download/0/1/3/01381C25-72DA-4AA9-B792-43E02A243C71/SVR422R_Russinovich.ppt)

Enterprise Malware Solutions: Advanced Malware Cleaning (http://download.microsoft.com/download/0/1/3/01381C25-72DA-4AA9-B792-43E02A243C71/SEC314_Russinovich.ppt)

Cheers,
Gmer

Hi Gmer, thanks for information, so we can consider the whole as false positives related to Gmer in virtual box.

But what about that:

20: 00000000
21: 00000000
22: 00000000
23: 00000000
24: 00000000
25: 00000000
26: 00000000
27: 00000000
28: 00000000
29: 00000000

But one thing Russinovich does not explain is the fact of these <unknown>´s:

http://i19.tinypic.com/4ygz9c2.png

-{ Quote: "kd> !idt -a" }-That is interesting, beside Gmer your tool received Nr.1 rank in german computer magazine, EPs RkU only rank 3 because of too many BSODs it was downgraded what a irony.. lool.

1. Gmer 1.0.13
2. AVG
3. RkU 3.37