GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-27 11:14:19 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MJA2160BH_FFS_G1 rev.00810020 149,05GB Running: r2gn81l2.exe; Driver: C:\DOCUME~1\apple3\USTAWI~1\Temp\kgryipod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xB294AA14] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xB28E63D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xB28FD560] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xB28E694A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xB28E6830] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0xB28FD886] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xB294C9AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xB294CBCA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xB294DA8E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xB28E6A6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xB294D08E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0xB28FD954] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xB294C854] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xB28F75E6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xB28F8DCE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xB28E6416] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xB294AB56] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xB28F85DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xB28F8F6E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xB294A7BE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xB28F811E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xB28F8376] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xB294D886] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0xB28FBD22] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xB28E69E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xB28E68C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xB294C3FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xB294DD3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xB28E6B00] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xB294CDEA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xB28F741A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xB28F8BDC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xB28FBF30] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xB28F89D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xB294D73A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xB28F76FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xB28F7D6C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xB28FDB94] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xB28FDA22] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xB28FDAD8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xB28FDC04] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xB28F7F72] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xB294D464] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xB28F789E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xB28F7A34] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xB28F7BD0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xB28FD6EE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xB294D5C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xB28E6B8A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xB294A8C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xB28F879A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xB294C59C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xB294D30C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xB28E6B9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xB294C6FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xB294CF8A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xB294DEA2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xB294DBCC] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2E0C 805046F4 12 Bytes [BE, A7, 94, B2, 1E, 81, 8F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E88 80504770 4 Bytes [EA, CD, 94, B2] .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 20 Bytes [FA, 76, 8F, B2, 6C, 7D, 8F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC0 805048A8 20 Bytes [64, D4, 94, B2, 9E, 78, 8F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [9C, C5, 94, B2, 0C, D3, 94, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB66A3380, 0x3CC615, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1632] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CA4209E C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1632] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1632] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1632] USER32.dll!AlignRects 7E362A78 4 Bytes [BB, 30, A4, 6C] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2028] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CA4209E C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2028] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2028] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2028] USER32.dll!AlignRects 7E362A78 4 Bytes [BB, 30, A4, 6C] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002608d91702 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002608d91702@0023dff61e0f 0x5B 0xD3 0xA6 0x88 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002608d91702@78ca04ea62a9 0xD4 0x2C 0x98 0x19 ... ---- EOF - GMER 2.1 ----