GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-15 23:42:54 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD4000AAKS-00TMA0 rev.12.01C01 372,61GB Running: l8zk7ld2.exe; Driver: C:\Users\Karol\AppData\Local\Temp\pxldapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x8EA9C6BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x8EA4FC02] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x8EA4FF4A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x8EA50390] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x8EA3828C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x8EA4F8DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x8EA38804] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x8EA386EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x8EA4FDAE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x8EA9F528] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x8EA38924] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x8EA9E9BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x8EA9EBFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x8EA9E660] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x8EA4FE7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x8EA9E506] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x8EA382D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x8EA9C7FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x8EA9C464] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x8EA9F320] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x8EA4E06C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x8EA3889A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x8EA3877A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x8EA9E0AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x8EA9F7D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x8EA389BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x8EA9E718] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x8EA38A44] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x8EA4E27A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x8EA9F1D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x8EA50174] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x8EA50002] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x8EA500B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x8EA501E4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x8EA9EEFE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x8EA4FA6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x8EA9F05C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x8EA38AE6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x8EA9C56E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x8EA9E24E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x8EA9EDA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x8EA38AF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x8EA9E3AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x8EA9E8B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x8EA9F93C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x8EA9F666] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 8388CA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 838C6212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 838CD46C 4 Bytes [BA, C6, A9, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 838CD494 6 Bytes [02, FC, A4, 8E, 4A, FF] .text ntkrnlpa.exe!KeRemoveQueueEx + 1106 838CD49B 1 Byte [8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 838CD4D8 4 Bytes [90, 03, A5, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 838CD504 4 Bytes [8C, 82, A3, 8E] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90613000, 0x141DE8, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1792] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1792] ntdll.dll!NtProtectVirtualMemory 777A5F58 5 Bytes JMP 713B2066 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1792] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1792] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1792] USER32.dll!NotifyWinEvent + 6AE 76E3D66C 4 Bytes [83, 30, 3B, 71] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2876] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2876] ntdll.dll!NtProtectVirtualMemory 777A5F58 5 Bytes JMP 713B2066 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2876] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2876] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2876] USER32.dll!NotifyWinEvent + 6AE 76E3D66C 4 Bytes [83, 30, 3B, 71] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744124CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743F562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743F56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74412546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744085AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74404D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74405105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744051DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74406707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74408301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74408850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744090B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7440E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[364] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74404C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Threads - GMER 2.1 ---- Thread System [4:1460] 92F99F2E ---- EOF - GMER 2.1 ----