GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-14 16:36:39 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVS-07RST0 rev.04.01G04 149,05GB Running: k5i1blti.exe; Driver: C:\DOCUME~1\zuo\LOCALS~1\Temp\pxtdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xB7B4E9E4] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwAllocateVirtualMemory [0xA552124A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xB7AEA410] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xB7B01588] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xB7AEA988] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xB7AEA86E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0xB7B018AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xB7B5095E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xB7B50B7A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xB7B51A3E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xB7AEAAA8] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwCreateThread [0xA5523304] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0xB7B0197C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xB7B50804] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xB7AFB60E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xB7AFCDF6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xB7AEA454] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xB7B4EB26] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xB7AFC602] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xB7AFCF96] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwFreeVirtualMemory [0xA55215C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xB7B4E78E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xB7AFC146] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xB7AFC39E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xB7B51836] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0xB7AFFD4A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xB7AEAA1E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xB7AEA8FE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xB7B503AC] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwOpenSection [0xA5520F6E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xB7AEAB3E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xB7B50D9A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xB7AFB442] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xB7AFCC04] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xB7AFFF58] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xB7AFC9F8] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwQueueApcThread [0xA5523496] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xB7AFB722] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xB7AFBD94] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xB7B01BBC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xB7B01A4A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xB7B01B00] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xB7B01C2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xB7AFBF9A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xB7B51414] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xB7AFB8C6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xB7AFBA5C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xB7AFBBF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xB7B01716] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwSetContextThread [0xA5523536] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xB7AEABC8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xB7B4E898] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xB7AFC7C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xB7B5054C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xB7B512BC] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwSystemDebugControl [0xA5520E24] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xB7B506AC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xB7B50F3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xB7B51E52] SSDT \??\c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys ZwWriteVirtualMemory [0xA552170C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CB4 8050459C 4 Bytes JMP CC5CFD55 .text ntkrnlpa.exe!ZwCallbackReturn + 2D40 80504628 12 Bytes [AE, 18, B0, B7, 5E, 09, B5, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E0C 805046F4 12 Bytes [8E, E7, B4, B7, 46, C1, AF, ...] {MOV FS, EDI; MOV AH, 0xb7; INC ESI; SHR DWORD [EDI-0x503c6149], 0xb7} .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 20 Bytes [22, B7, AF, B7, 94, BD, AF, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC0 805048A8 20 Bytes [14, 14, B5, B7, C6, B8, AF, ...] .text ... ? c:\documents and settings\zuo\local settings\temp\8165A6901B3.sys The system cannot find the file specified. ! ? c:\documents and settings\zuo\local settings\temp\824C5892037.sys The system cannot find the file specified. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[164] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 1099D8D4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[164] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 1099D863 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[164] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 107F2A67 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[164] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 107F306A C:\Program Files\Mozilla Firefox\xul.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[384] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CA42066 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[384] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[384] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[384] USER32.dll!AlignRects 7E412A78 4 Bytes [83, 30, A4, 6C] {XOR DWORD [EAX], -0x5c; INS BYTE [ES:EDI], DX} ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1116] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CA42066 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1116] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1116] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1116] USER32.dll!AlignRects 7E412A78 4 Bytes [83, 30, A4, 6C] {XOR DWORD [EAX], -0x5c; INS BYTE [ES:EDI], DX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0171EEB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01D2979B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01D29778 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 01724CE9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01D296F9 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device 890FB090 Device 891F9A28 Device Ntfs.sys Device 8A302320 Device 89D55808 Device 89E7A830 Device 89AB6150 Device 89B437C8 Device Fastfat.SYS Device 89223BE0 AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Ip 8165A6901B3.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp 8165A6901B3.sys Device \FileSystem\519CCF3E9CA1A2A4 \Device\519CCF3E9CA1A2A4 8165A6901B3.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp 8165A6901B3.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp 8165A6901B3.sys Device mrxsmb.sys Device Cdfs.SYS ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Control\Session Manager@PendingFileRenameOperations ????gr????????8????????????e?????f??? ??????? ????????????? ????????????????E???? ????????????????????? ????????????????????? ????????????????????? ??????????????0????????? ??????????s????? ??????? ????????????? ??j????????????E????? (?????????????????*PNP0600????? ????????????????????? ??$?????????5???????????????????????????_???? ????????????????????? ??"???&?????????????????????? ??????????????????CD-ROM Drive????????0??????????????n????????????????????????????????????????cdrom???????? ??????????????????? ??????????????s????????????????????????????????e??CDROM???????????????????????IDE\CdRomPBDS_DS-8A1P____________________________CF12____?IDE\PBDS_DS-8A1P____________________________CF12____?IDE\CdRomPBDS_DS-8A1P____________________________?PBDS_DS-8A1P____________________________CF12____?GenCdRom?????????????????????s??????X???????????????????N???????????D?????{4D36E965-E325-11CE-BFC1-08002BE10318}???????????????p??????vd??????{4D36E965-E325-11CE-BFC1-08002BE10318}\0000???????2????????g????(Standard CD-RO Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???R?????????????????????????????Q??????????????? ???Q???&???????0??Plug and Play Monitor???Volume?????????????????????????????????????????s?????R?R?Q??? ???????Q???????????Q????????$???????????????s????????Q????? ???????Q???????????????????????????????f?????Q???Q????? ???????Q?????Q????????????????????????????Monitor?????? ???????Q?????Q?????????????????????????8??? ???????Q?????Q?? ??w??????????X?????0?????HDAUDIO\FUNC_01&VEN_1106&DEV_1708&REV_1007?HDAUDIO\FUNC_01&VEN_1106&DEV_1708?HDAUDIO\FUNC_01&VEN_1106?HDAUDIO\FUNC_01???????? ???R???.?????18.????N??T????????D??????w?}?[??VIA High Definition Audio?ition Audio Bus???? ???Q???3??????s?????@??R?????????????n?????????Q???????e????.??y?????g??????B??R?????????????n?????]?????????Q0??????Q????{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002???????????X??R???6???d???????>??????????W32Time?????? ???????Q???????????>????????"?H????????f????H??Q ???????????r?????H??????????????????????? ? ??????????????????????{??????????????@????n??????ro??? ???????Q?????u??????????? ---- EOF - GMER 2.1 ----