GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-11 08:12:45 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP1614N rev.TM100-31 149,05GB Running: vzllo6dq.exe; Driver: E:\DOCUME~1\Krystian\USTAWI~1\Temp\pxtdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xF3122356] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xF30BE86A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xF30D55F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xF30BEDE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xF30BECC8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0xF30D591E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xF31242D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xF31244EC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xF31253AC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xF30BEF02] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xF31249B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0xF30D59EC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xF3124176] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xF30CF6A0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xF30D0E88] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xF30BE8AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xF3122498] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xF30D0694] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xF30D1028] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xF3122100] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xF30D01D8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xF30D0430] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xF31251A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0xF30D3DE4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xF30BEE78] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xF30BED58] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xF3123D1E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xF3125658] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xF30BEF98] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xF312470C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xF30CF4D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xF30D0C96] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xF30D3FF0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xF30D0A8A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xF312505A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xF30CF7B4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xF30CFE26] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xF30D5C2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xF30D5ABA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xF30D5B70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xF30D5C9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xF30D002C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xF3124D86] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xF30CF958] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xF30CFAEE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xF30CFC8A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xF30D5786] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xF3124EE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xF30BF022] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xF312220A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xF30D0854] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xF3123EBE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xF3124C2E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xF30BF034] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xF312401E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xF31248AC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xF31257C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xF31254EA] SSDT \WINDOWS\system32\ntoskrnl.exe ZwCreateKey [0x804D70D9] SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70D9] ZwCreateKey [0x804D70D9] SSDT \WINDOWS\system32\ntoskrnl.exe ZwOpenKey [0x804D70DE] SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70DE] ZwOpenKey [0x804D70DE] INT 0x03 \WINDOWS\system32\ntoskrnl.exe[unknown section] 804D70E3 INT 0x06 \??\E:\WINDOWS\system32\drivers\Haspnt.sys F266316D INT 0x0E \??\E:\WINDOWS\system32\drivers\Haspnt.sys F2662FC2 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + B0 804E271C 4 Bytes [6A, E8, 0B, F3] {PUSH -0x18; OR ESI, EBX} .text ntoskrnl.exe!_abnormal_termination + F0 804E275C 3 Bytes [D9, 70, 4D] {FNSTENV [EAX+0x4d]} .text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [1E, 59, 0D, F3, D0, 42, 12, ...] {PUSH DS; POP ECX; OR EAX, 0x1242d0f3; IN AL, DX; INC ESP; ADC DH, BL} .text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [00, 21, 12, F3, D8, 01, 0D, ...] .text ntoskrnl.exe!_abnormal_termination + 228 804E2894 3 Bytes [DE, 70, 4D] {FIDIV WORD [EAX+0x4d]} .text ... .text E:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xF1C6F000, 0x49C57, 0xE0000020] .init E:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xF1CC6224] .init E:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xF1CC6000, 0x4000, 0xE20000E0] .text E:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF1BDE400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF1C69020] E:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF1C69020] .protect˙˙˙˙hardlockunknown last code section [0xF1C68E00, 0x50BA, 0xE0000020] E:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF1C68E00, 0x50BA, 0xE0000020] ---- User code sections - GMER 2.1 ---- ? E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[220] E:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CD01A54 E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\ushata.dll ? E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[220] E:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[220] USER32.dll!VRipOutput 7E362A78 4 Bytes [53, 2A, D0, 6C] {PUSH EBX; SUB DL, AL; INS BYTE [ES:EDI], DX} .text E:\Program Files\Mozilla Firefox\firefox.exe[924] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 01579CF0 E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\firefox.exe[924] kernel32.dll!lstrlenW + 43 7C809A5C 7 Bytes JMP 01B2542B E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\firefox.exe[924] kernel32.dll!MapViewOfFileEx + 6A 7C80B910 7 Bytes JMP 01B25408 E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\firefox.exe[924] kernel32.dll!ValidateLocale + AFA8 7C8447E8 7 Bytes JMP 0158369E E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\firefox.exe[924] USER32.dll!GetWindowInfo 7E36E77C 5 Bytes JMP 01A4B719 E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\firefox.exe[924] GDI32.dll!SetDIBitsToDevice + 20D 77F19A9C 7 Bytes JMP 01B25389 E:\Program Files\Mozilla Firefox\xul.dll ? E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1580] E:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CD01A54 E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\ushata.dll ? E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1580] E:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1580] USER32.dll!VRipOutput 7E362A78 4 Bytes [53, 2A, D0, 6C] {PUSH EBX; SUB DL, AL; INS BYTE [ES:EDI], DX} .text E:\Program Files\Mozilla Firefox\plugin-container.exe[3112] USER32.dll!DefWindowProcA + 11A 7E36D608 7 Bytes JMP 1093EA03 E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\plugin-container.exe[3112] USER32.dll!SetWindowLongA + 19 7E36D626 7 Bytes JMP 1093E992 E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\plugin-container.exe[3112] USER32.dll!GetWindowInfo 7E36E77C 5 Bytes JMP 10775238 E:\Program Files\Mozilla Firefox\xul.dll .text E:\Program Files\Mozilla Firefox\plugin-container.exe[3112] USER32.dll!GetMenuContextHelpId + 1A 7E3B50E9 7 Bytes JMP 10775811 E:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----