GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-04 14:51:27 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4 Hitachi_HDP725050GLA360 rev.GM4OA5CA 465,76GB Running: hcdbohfy.exe; Driver: C:\Users\Misiek\AppData\Local\Temp\pwwdrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x944A2748] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x94455CA2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x94455FEA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x94456430] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x9443E2AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x9445597C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x9443E826] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x9443E70C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x94455E4E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x944A56A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x9443E946] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x944A4B30] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x944A4D7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x944A4776] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x94455F1C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x944A461C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x9443E2F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x944A288A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x944A24F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x944A54A0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x944540DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x9443E8BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x9443E79C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x944A415E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x944A5954] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x9443E9DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x944A482E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x9443EA66] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x944542E8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x944A5354] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x94456214] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x944560A2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x94456158] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x94456284] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x944A507E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x94455B0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x944A51DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x9443EB08] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x944A25FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x944A4364] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x944A4F26] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x9443EB1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x944A44C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x944A4A2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x944A5ABC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x944A57E6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8305A579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307EF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 220 83086720 4 Bytes [48, 27, 4A, 94] {DEC EAX; DAA ; DEC EDX; XCHG ESP, EAX} .text ntkrnlpa.exe!RtlSidHashLookup + 248 83086748 8 Bytes [A2, 5C, 45, 94, EA, 5F, 45, ...] {MOV [0xea94455c], AL; POP EDI; INC EBP; XCHG ESP, EAX} .text ntkrnlpa.exe!RtlSidHashLookup + 28C 8308678C 4 Bytes [30, 64, 45, 94] {XOR [EBP+EAX*2-0x6c], AH} .text ntkrnlpa.exe!RtlSidHashLookup + 2B8 830867B8 4 Bytes [AE, E2, 43, 94] {SCASB ; LOOP 0x46; XCHG ESP, EAX} .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 830867DC 4 Bytes [7C, 59, 45, 94] {JL 0x5b; INC EBP; XCHG ESP, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9AC3A000, 0x17E53A, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1916] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1916] ntdll.dll!NtProtectVirtualMemory 77B35360 5 Bytes JMP 71592066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1916] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1916] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1916] USER32.dll!NotifyWinEvent + 48B 75F5F724 4 Bytes [83, 30, 59, 71] ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2928] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2928] ntdll.dll!NtProtectVirtualMemory 77B35360 5 Bytes JMP 71592066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2928] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2928] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2928] USER32.dll!NotifyWinEvent + 48B 75F5F724 4 Bytes [83, 30, 59, 71] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7485250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74852494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74835624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748356E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74848573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74844D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748450CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748451A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [748466D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748482CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74848819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7484907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7484E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[1656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74844C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- EOF - GMER 2.1 ----