GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-21 08:03:59 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC4CC 232,89GB Running: l5bkv21f.exe; Driver: C:\Users\A\AppData\Local\Temp\pxldrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x9B878208] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x9B82BFB8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x9B82C300] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x9B82C746] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x9B81491E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x9B82BC92] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x9B814E96] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x9B814D7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x9B82C164] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x9B87B072] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x9B814FB6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x9B87A50A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x9B82C232] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x9B87A054] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x9B814962] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x9B87834A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x9B877FB2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x9B87AE6C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x9B82A422] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x9B814F2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x9B814E0C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x9B879BFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x9B87B31E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x9B81504C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x9B87A266] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x9B8150D6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x9B82A630] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x9B87AD20] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x9B82C52A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x9B82C3B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x9B82C46E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x9B82C59A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x9B87AA4C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x9B82BE20] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x9B87ABA8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x9B815178] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x9B8780BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x9B879D9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x9B87A8F4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x9B81518A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x9B879EFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x9B87A406] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x9B87B486] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x9B87B1B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x9B87A74A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x9B87A1AE] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!KeInsertQueue + 309 82873810 4 Bytes [08, 82, 87, 9B] .text ntoskrnl.exe!KeInsertQueue + 32D 82873834 8 Bytes [B8, BF, 82, 9B, 00, C3, 82, ...] .text ntoskrnl.exe!KeInsertQueue + 371 82873878 4 Bytes [46, C7, 82, 9B] .text ntoskrnl.exe!KeInsertQueue + 399 828738A0 4 Bytes [1E, 49, 81, 9B] .text ntoskrnl.exe!KeInsertQueue + 3B1 828738B8 4 Bytes [92, BC, 82, 9B] .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F87817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FC5EFD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F8BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F7F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F7E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73FD92D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73F8DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F7FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F7FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7400CB4D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73FAC840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F7D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F76853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F7687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F82AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Users\A\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3J6DPDLH\www.robertgawlinski.com.\swf 0 bytes File C:\Users\A\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3J6DPDLH\www.robertgawlinski.com.\swf\flowplayer-3.1.5.swf 0 bytes File C:\Users\A\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3J6DPDLH\www.robertgawlinski.com.\swf\flowplayer-3.1.5.swf\org.flowplayer.sol 60 bytes File C:\Users\A\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.robertgawlinski.com.\settings.sol 94 bytes ---- EOF - GMER 2.1 ----