GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-28 11:49:39 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4 Hitachi_HDP725050GLA360 rev.GM4OA5CA 465,76GB Running: 8tgeq15v.exe; Driver: C:\Users\Misiek\AppData\Local\Temp\pwwdrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x916B1748] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x91664CA2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x91664FEA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x91665430] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x9164D2AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x9166497C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x9164D826] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x9164D70C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x91664E4E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x916B46A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x9164D946] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x916B3B30] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x916B3D7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x916B3776] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x91664F1C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x916B361C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x9164D2F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x916B188A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x916B14F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x916B44A0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x916630DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x9164D8BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x9164D79C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x916B315E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x916B4954] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x9164D9DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x916B382E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x9164DA66] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x916632E8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x916B4354] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x91665214] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x916650A2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x91665158] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x91665284] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x916B407E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x91664B0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x916B41DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x9164DB08] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x916B15FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x916B3364] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x916B3F26] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x9164DB1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x916B34C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x916B3A2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x916B4ABC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x916B47E6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83056579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307AF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 220 83082720 4 Bytes [48, 17, 6B, 91] .text ntkrnlpa.exe!RtlSidHashLookup + 248 83082748 8 Bytes [A2, 4C, 66, 91, EA, 4F, 66, ...] {MOV [0xea91664c], AL; DEC EDI; XCHG CX, AX} .text ntkrnlpa.exe!RtlSidHashLookup + 28C 8308278C 4 Bytes [30, 54, 66, 91] {XOR [ESI-0x6f], DL} .text ntkrnlpa.exe!RtlSidHashLookup + 2B8 830827B8 4 Bytes [AE, D2, 64, 91] .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 830827DC 4 Bytes [7C, 49, 66, 91] {JL 0x4b; XCHG CX, AX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9AC33000, 0x19C8F6, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1536] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1536] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1536] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1536] USER32.dll!NotifyWinEvent + 48B 7794F724 4 Bytes [83, 30, CE, 73] ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2712] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2712] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2712] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[2712] USER32.dll!NotifyWinEvent + 48B 7794F724 4 Bytes [83, 30, CE, 73] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7477250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74772494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74755624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747556E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74768573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74764D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747650CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747651A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747666D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747682CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74768819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7476907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7476E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74764C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 15396 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 6282 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{03CC66FC-D572-4759-886E-9299D3065EF8} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03CC66FC-D572-4759-886E-9299D3065EF8} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03CC66FC-D572-4759-886E-9299D3065EF8}@Path \Microsoft\Windows Defender\MP Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03CC66FC-D572-4759-886E-9299D3065EF8}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03CC66FC-D572-4759-886E-9299D3065EF8}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {03CC66FC-D572-4759-886E-9299D3065EF8} ---- EOF - GMER 2.1 ----