GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-15 22:39:02 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.13.0 149,05GB Running: nm1t3mvg.exe; Driver: C:\DOCUME~1\Marii\USTAWI~1\Temp\uxldypod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xA4450ADC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xA4400396] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xA445279C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xA4452A84] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xA4453B3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0xA44142C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xA4453076] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xA445263C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xA43FDCC0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xA43FF4A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xA43F048C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xA4450C1E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xA43FECB4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xA43FF648] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xA445074A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xA43FE7F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xA43FEA50] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xA44142E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xA4452178] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xA4453D6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xA4452D70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0xA44142D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryIntervalProfile [0xA4414310] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xA43FDAF4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xA43FF2B6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xA43FF0AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xA44537A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xA43FDDD4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xA43FE446] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xA440059C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xA43FE64C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xA44534C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xA43FDF78] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xA43FE10E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xA43FE2AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xA4400496] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xA4453628] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xA43F08A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xA4450A82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xA43FEE74] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xA4452380] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xA4453364] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xA43F08B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xA44524E2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xA4452F70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xA4453E72] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xA4453BFC] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 25A8 80501E04 12 Bytes [4A, 07, 45, A4, F8, E7, 3F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 275C 80501FB8 20 Bytes [C2, 34, 45, A4, 78, DF, 3F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2818 80502074 12 Bytes [80, 23, 45, A4, 64, 33, 45, ...] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[600] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6B731ED6 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[600] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[600] USER32.dll!AlignRects 7E362978 4 Bytes [0B, 26, 73, 6B] {OR ESP, [ESI]; JAE 0x6f} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[600] USER32.dll!AlignRects 7E362A78 4 Bytes [1B, 2F, 73, 6B] {SBB EBP, [EDI]; JAE 0x6f} ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[600] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[1904] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[1904] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[1904] USER32.dll!AlignRects 7E362978 4 Bytes [0B, 26, 73, 6B] {OR ESP, [ESI]; JAE 0x6f} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[1904] USER32.dll!AlignRects 7E362A78 4 Bytes [1B, 2F, 73, 6B] {SBB EBP, [EDI]; JAE 0x6f} ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys ---- EOF - GMER 2.1 ----