GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-14 21:06:33 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HM100JI rev.YH100-19 93,16GB Running: 3yjnyeix.exe; Driver: C:\Users\Trojanus\AppData\Local\Temp\pgldipoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x8E291700] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x8E244C1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x8E244F62] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x8E2453A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x8E22D29C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x8E2448F4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x8E22D814] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x8E22D6FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x8E244DC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x8E294590] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x8E22D934] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x8E293A24] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x8E293C64] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x8E2936C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x8E244E94] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x8E29356E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x8E22D2E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x8E291842] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x8E2914AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x8E294388] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x8E24305C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x8E22D8AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x8E22D78A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x8E293116] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x8E29483C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x8E22D9CA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x8E293780] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x8E22DA54] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x8E24326A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x8E29423C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x8E24518C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x8E24501A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x8E2450D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x8E2451FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x8E293F66] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x8E244A82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x8E2940C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x8E22DAF6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x8E2915B4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x8E2932B6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x8E293E0E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x8E22DB08] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x8E293416] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x8E293920] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x8E2949A4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x8E2946CE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82A91349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ACAD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82AD1D8C 4 Bytes [00, 17, 29, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82AD1DB4 8 Bytes [1A, 4C, 24, 8E, 62, 4F, 24, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82AD1DF8 4 Bytes [A8, 53, 24, 8E] {TEST AL, 0x53; AND AL, 0x8e} .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82AD1E24 4 Bytes [9C, D2, 22, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82AD1E48 4 Bytes [F4, 48, 24, 8E] {HLT ; DEC EAX; AND AL, 0x8e} .text ... ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] ntdll.dll!NtProtectVirtualMemory 772F5F18 5 Bytes JMP 70D42066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] USER32.dll!NotifyWinEvent + 6AE 7593D66C 4 Bytes [83, 30, D4, 70] .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtCreateFile 772F55C8 5 Bytes JMP 602CB983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtFlushBuffersFile 772F5958 5 Bytes JMP 602CB6C3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtQueryFullAttributesFile 772F5FE8 5 Bytes JMP 602CB7F8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtReadFile 772F62B8 5 Bytes JMP 602CB6FD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtReadFileScatter 772F62C8 5 Bytes JMP 60652E91 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtWriteFile 772F6A68 5 Bytes JMP 602CBB27 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] ntdll.dll!NtWriteFileGather 772F6A78 5 Bytes JMP 60652EE1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75D293D6 7 Bytes JMP 6063B5A5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] kernel32.dll!QueryPerformanceCounter + 13 75D2C435 3 Bytes JMP 6063BFAC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] kernel32.dll!QueryPerformanceCounter + 17 75D2C439 3 Bytes JMP 8B55F9EB .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] kernel32.dll!LoadAppInitDlls + 355 75D2F4F6 7 Bytes JMP 6039AFF1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] USER32.dll!GetWindowInfo 75934B5E 5 Bytes JMP 6111AE81 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2108] GDI32.dll!GetViewportOrgEx + 26C 7748884B 7 Bytes JMP 6063AF5D C:\Program Files\Mozilla Firefox\xul.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2468] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2468] ntdll.dll!NtProtectVirtualMemory 772F5F18 5 Bytes JMP 70D42066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2468] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2468] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2468] USER32.dll!NotifyWinEvent + 6AE 7593D66C 4 Bytes [83, 30, D4, 70] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys Device \Driver\BTHUSB \Device\00000081 bthport.sys Device \Driver\BTHUSB \Device\00000083 bthport.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00037aa94cec Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00037aa94cec (not active ControlSet) ---- EOF - GMER 2.1 ----