GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-18 04:13:26 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0 232,89GB Running: efdwl3qk.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\pwtoipow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x905AE730] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x90561CA2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x90561FEA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x90562430] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x9054A2AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x9056197C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x9054A826] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x9054A70C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x90561E4E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x905B1690] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x9054A946] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x905B0B18] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x90561F1C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x905B0604] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x9054A2F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x905AE872] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x905AE4DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x905B1488] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x905600DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x9054A8BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x9054A79C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x905B0146] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x905B193C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x9054A9DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x905B0816] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x9054AA66] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x905602E8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x905B133C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x90562214] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x905620A2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x90562158] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x90562284] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x905B1066] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x90561B0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x905B11C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x9054AB08] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x905AE5E4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x905B034C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x905B0F0E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x9054AB1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x905B04AC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x905B0A14] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x905B1AA4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x905B17CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x905B0D64] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x905B075E] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!KeSetEvent + 119 826C189C 4 Bytes [30, E7, 5A, 90] {XOR BH, AH; POP EDX; NOP } .text ntkrnlpa.exe!KeSetEvent + 13D 826C18C0 8 Bytes [A2, 1C, 56, 90, EA, 1F, 56, ...] {MOV [0xea90561c], AL; POP DS; PUSH ESI; NOP } .text ntkrnlpa.exe!KeSetEvent + 181 826C1904 4 Bytes [30, 24, 56, 90] {XOR [ESI+EDX*2], AH; NOP } .text ntkrnlpa.exe!KeSetEvent + 1A9 826C192C 4 Bytes [AE, A2, 54, 90] .text ntkrnlpa.exe!KeSetEvent + 1C1 826C1944 4 Bytes [7C, 19, 56, 90] {JL 0x1b; PUSH ESI; NOP } .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B955000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B99E000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F404000, 0x1E73A0, 0xE8000020] ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x0E 0x12 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x62 0x50 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x89 0x00 0x11 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x3B 0x27 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0x37 0x8E 0x3A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x0E 0x12 0x4D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x62 0x50 0x97 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x89 0x00 0x11 0x4B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x3B 0x27 0x6C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0x37 0x8E 0x3A ... ---- EOF - GMER 2.2 ----