GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-31 13:57:06 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HM250HI rev.2AC101C4 232,88GB Running: okhxwdxw.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys .text ... ---- System - GMER 2.1 ---- Code 8C030BFB NtTraceEvent Code 8C030BFC ZwTraceEvent ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\RawIp kl1.sys AttachedDevice \Driver\tdx \Device\Tcp kl1.sys AttachedDevice \Driver\tdx \Device\Udp kl1.sys SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x8EE71392] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x8EE8C24A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x8EE8C580] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x8EE8C8F6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x8EE71E0C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x8EE8BF32] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x8EE7237E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x8EE7226C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x8EE8C3F0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x8EE7114E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x8EE72496] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x8EE719C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x8EE71B32] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x8EE725AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x8EE8C4B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x8EE72856] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x8EE71E4E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x8EE73858] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x8EE72948] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x8EE72EB4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x8EE8A722] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x8EE72410] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x8EE722F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x8EE715CC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x8EE72C98] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x8EE72528] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x8EE714C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x8EE72664] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x8EE8A91A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQuerySection [0x8EE731DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x8EE72AE8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x8EE8C6E4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x8EE8C632] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x8EE8C750] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x8EE736FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x8EE8C0BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x8EE71CAC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x8EE72702] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x8EE7332A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x8EE7341E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x8EE73558] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x8EE72778] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x8EE7176C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x8EE716C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x8EE73092] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x8EE71858] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1964] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1964] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1964] ntdll.dll!NtProtectVirtualMemory 77575F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1964] USER32.dll!NotifyWinEvent + 6AE 7709D66C 4 Bytes [E0, 13, 54, 67] ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[2528] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[2528] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[2528] ntdll.dll!NtProtectVirtualMemory 77575F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[2528] USER32.dll!NotifyWinEvent + 6AE 7709D66C 4 Bytes [E0, 13, 54, 67] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742024CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [741F4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [741F6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741F8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741F85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741F4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741FE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74202546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741F51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741F5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741E56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741E562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741F8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741F90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FA3E000, 0x2D5378, 0xE8000020] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@001df680cce1 0x65 0xCE 0x0C 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@0023f10330e3 0x69 0xA7 0xC6 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@44f459d8fe79 0x3C 0xB8 0xB0 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@58170c92cec2 0xAD 0x4B 0x11 0xBF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@5cb524c4261d 0x94 0xE2 0xA4 0xEF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@b0d09c0dc960 0x6F 0x9C 0x08 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@b8d9ce5a6987 0x4A 0x95 0xD0 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@001df680cce1 0x65 0xCE 0x0C 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@0023f10330e3 0x69 0xA7 0xC6 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@44f459d8fe79 0x3C 0xB8 0xB0 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@58170c92cec2 0xAD 0x4B 0x11 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@5cb524c4261d 0x94 0xE2 0xA4 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@b0d09c0dc960 0x6F 0x9C 0x08 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@b8d9ce5a6987 0x4A 0x95 0xD0 0xEB ... ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82CCC22C 4 Bytes [92, 13, E7, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CCC254 8 Bytes [4A, C2, E8, 8E, 80, C5, E8, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82CCC298 4 Bytes [F6, C8, E8, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82CCC2C4 4 Bytes [0C, 1E, E7, 8E] {OR AL, 0x1e; OUT 0x8e, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82CCC2E8 4 Bytes [32, BF, E8, 8E] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC51F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!NtTraceEvent 82D15AD2 5 Bytes JMP 8C030C00 .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C8BA09 1 Byte [06] ? System32\Drivers\SCDEmu.SYS System nie może odnaleźć określonej ścieżki. ! ---- EOF - GMER 2.1 ----