GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-12 09:59:42 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500JS-00NCB1 rev.10.02E02 232,89GB Running: 3bd2mhty.exe; Driver: C:\Users\Ania\AppData\Local\Temp\kxldrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x9109090A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x91040CF0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x91040F22] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x91040AEA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x910934D6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0x91054960] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x91092906] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x91092B52] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x91092498] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x91031590] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x91090A4C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x91090578] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x91054980] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x91091FCC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x91093706] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x910925F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0x91054970] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x91093140] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x91040DF6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x91092E5C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x91040BEA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x91092FC2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x910319AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x910908B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x910921D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x91092CFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x910319BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x9109233A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x910927FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x9109380E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x91093598] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82A8EA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC8212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82ACF46C 4 Bytes [0A, 09, 09, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82ACF494 4 Bytes [F0, 0C, 04, 91] {OR AL, 0x4; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82ACF4D8 4 Bytes [22, 0F, 04, 91] {AND CL, [EDI]; ADD AL, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82ACF528 4 Bytes JMP C091040A .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82ACF58C 4 Bytes [D6, 34, 09, 91] {SALC ; XOR AL, 0x9; XCHG ECX, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92829000, 0x2F786C, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1572] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1572] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1572] USER32.dll!NotifyWinEvent + 5B2 76A7D570 4 Bytes [96, 25, B5, 72] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1572] USER32.dll!NotifyWinEvent + 6AE 76A7D66C 4 Bytes [A6, 2E, B5, 72] {CMPSB ; MOV CH, 0x72} ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1572] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2460] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2460] C:\Windows\system32\USER32.dll time/date stamp mismatch; unknown module: CFGMGR32.dllunknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2460] USER32.dll!NotifyWinEvent + 5B2 76A7D570 4 Bytes [96, 25, B5, 72] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2460] USER32.dll!NotifyWinEvent + 6AE 76A7D66C 4 Bytes [A6, 2E, B5, 72] {CMPSB ; MOV CH, 0x72} .text C:\Program Files\Mozilla Firefox\firefox.exe[5844] ntdll.dll!LdrGetProcedureAddress + 26 776C22A9 7 Bytes JMP 58ECB780 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5844] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 775C941E 7 Bytes JMP 59706EDA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5844] kernel32.dll!QueryPerformanceCounter + 13 775CC425 7 Bytes JMP 59706EFD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5844] kernel32.dll!LoadAppInitDlls + 355 775CF4E6 3 Bytes JMP 58ED0836 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5844] kernel32.dll!LoadAppInitDlls + 359 775CF4EA 3 Bytes [E1, EB, F9] {LOOPZ 0xffffffed; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[5844] GDI32.dll!GetViewportOrgEx + 26C 75A5884B 7 Bytes JMP 59706E5B C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Threads - GMER 2.1 ---- Thread System [4:4456] A2744F2E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevision 89112867 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 3 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\95A3AC43-878E-43EC-9235-A9E1C9C4DB61@Alive 1 ---- Files - GMER 2.1 ---- File C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDCF6.tmp 0 bytes File C:\Windows\assembly\NativeImages_v2.0.50727_32\index959.dat 0 bytes File C:\Windows\assembly\NativeImages_v2.0.50727_32\index95a.dat 0 bytes ---- EOF - GMER 2.1 ----