GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-12 23:01:10 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDP725050GLA360 rev.GM4OA52A 465,76GB Running: jbl49o34.exe; Driver: C:\Users\tomek\AppData\Local\Temp\pwtoipow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x97574990] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x975251CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x97525400] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x97524FC8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x9757755C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0x97538E90] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x9757698C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x9757651E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x97515640] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x97574AD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x975745FE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x97538EB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x97576052] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x9757778C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x9757667E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0x97538EA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryIntervalProfile [0x97538EE0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x975771C6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x975252D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x97576EE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x975250C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x97577048] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x97515A5A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x97574936] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x9757625A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x97576D82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x97515A6C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x975763C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x97576882] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x97577894] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x9757761E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x97576BD8] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 119 88AB2764 4 Bytes [90, 49, 57, 97] {NOP ; DEC ECX; PUSH EDI; XCHG EDI, EAX} .text ntkrnlpa.exe!KeSetEvent + 13D 88AB2788 4 Bytes [CE, 51, 52, 97] {INTO ; PUSH ECX; PUSH EDX; XCHG EDI, EAX} .text ntkrnlpa.exe!KeSetEvent + 181 88AB27CC 4 Bytes [00, 54, 52, 97] {ADD [EDX+EDX*2-0x69], DL} .text ntkrnlpa.exe!KeSetEvent + 1C1 88AB280C 4 Bytes [C8, 4F, 52, 97] {ENTER 0x524f, 0x97} .text ntkrnlpa.exe!KeSetEvent + 215 88AB2860 4 Bytes [5C, 75, 57, 97] {POP ESP; JNZ 0x5a; XCHG EDI, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x96807000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!LdrLoadDll 771F9378 5 Bytes JMP 73501F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtCreateFile 77234264 5 Bytes JMP 560A9440 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtFlushBuffersFile 77234764 5 Bytes JMP 55D97CC9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtQueryFullAttributesFile 77234C94 5 Bytes JMP 55D97F40 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtReadFile 77234EC4 5 Bytes JMP 55D97D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtReadFileScatter 77234ED4 5 Bytes JMP 56A07D51 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtWriteFile 772354D4 5 Bytes JMP 560AA3D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] ntdll.dll!NtWriteFileGather 772354E4 5 Bytes JMP 56A07D00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] kernel32.dll!HeapSetInformation + 26 75C7A9B8 7 Bytes JMP 560A5E74 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] kernel32.dll!LockResource + C 75C96BD3 7 Bytes JMP 5694923C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] kernel32.dll!VirtualAllocEx + 54 75C9B030 7 Bytes JMP 5694925F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] USER32.dll!GetWindowInfo 76AE428E 5 Bytes JMP 5684AF4C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[696] GDI32.dll!SetStretchBltMode + 256 75F6745C 7 Bytes JMP 569491BD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!SetScrollRange 76ADD185 5 Bytes JMP 00C7227D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!GetScrollInfo 76ADF073 5 Bytes JMP 00C72210 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!ShowScrollBar 76ADF8AE 5 Bytes JMP 00C72243 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!SetScrollInfo 76AE71D8 5 Bytes JMP 00C722B4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!EnableScrollBar 76AFAF53 5 Bytes JMP 00C722E8 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!GetScrollPos 76B0337D 5 Bytes JMP 00C721EB C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!GetScrollRange 76B034A5 5 Bytes JMP 00C721B3 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2244] USER32.dll!SetScrollPos 76B03602 5 Bytes JMP 00C7218E C:\Program Files\CCleaner\CCleaner.exe ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2592] C:\Windows\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2592] ntdll.dll!NtProtectVirtualMemory 77234BC4 5 Bytes JMP 70C21ED6 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2592] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: wer.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2592] USER32.dll!SetScrollInfo + 6A8 76AE7880 4 Bytes [0B, 26, C2, 70] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2592] USER32.dll!SetScrollInfo + 7A8 76AE7980 4 Bytes [1B, 2F, C2, 70] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2592] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[3060] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: wer.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[3060] C:\Windows\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[3060] USER32.dll!SetScrollInfo + 6A8 76AE7880 4 Bytes [0B, 26, C2, 70] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[3060] USER32.dll!SetScrollInfo + 7A8 76AE7980 4 Bytes [1B, 2F, C2, 70] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74105EFD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [741192D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [740CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7414CB4F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [740EC840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@LastProcessedRevision 223421895 ---- EOF - GMER 2.1 ----