GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-07 11:45:12 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKS-00V6A0 rev.05.01D05 465,76GB Running: topbidjr.exe; Driver: C:\Users\USER\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x91416144] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x91416916] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x91416D3E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateFile [0x9141AC92] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateNamedPipeFile [0x9141600A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0x91417DEC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x914166BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x9141781E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x91416B10] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x9141837C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwFsControlFile [0x914169C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x914178B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenFile [0x9141AAD6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x91416374] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x91417E16] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x91416276] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x91417B44] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0x914154DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x914176A4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0x9141563C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x914181F0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0x914152DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x91416C00] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x914167BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSecurityObject [0x914179AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x91417E40] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x91417F24] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x91418044] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x9141774A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x9141650E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x91416464] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x914165EE] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82C47F05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C82292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82C8969C 4 Bytes [44, 61, 41, 91] {INC ESP; POPA ; INC ECX; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82C89734 4 Bytes [16, 69, 41, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82C89758 4 Bytes [3E, 6D, 41, 91] {INS DWORD [ES:EDI], DX; INC ECX; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 82C89774 4 Bytes [92, AC, 41, 91] {XCHG EDX, EAX; LODSB ; INC ECX; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11D3 82C89798 4 Bytes [0A, 60, 41, 91] {OR AH, [EAX+0x41]; XCHG ECX, EAX} .text ... ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtCreateFile 76E35190 5 Bytes JMP 5F766BEF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtFlushBuffersFile 76E35520 5 Bytes JMP 5F76692F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtQueryFullAttributesFile 76E35BB0 5 Bytes JMP 5F766A64 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtReadFile 76E35E80 5 Bytes JMP 5F766969 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtReadFileScatter 76E35E90 5 Bytes JMP 5FB0AE9E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtWriteFile 76E36630 5 Bytes JMP 5F766D93 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!NtWriteFileGather 76E36640 5 Bytes JMP 5FB0AEEE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76FA95DE 7 Bytes JMP 5FAF459E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] kernel32.dll!QueryPerformanceCounter + 13 76FAC5E5 7 Bytes JMP 5FAF4F20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] kernel32.dll!LoadAppInitDlls + 355 76FAF6A6 7 Bytes JMP 5F86C979 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] USER32.dll!GetWindowInfo 76C64B2E 5 Bytes JMP 605F41F7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1520] GDI32.dll!GetViewportOrgEx + 26C 753E876B 7 Bytes JMP 5FAF3EDB C:\Program Files\Mozilla Firefox\xul.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1644] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: webio.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1644] USER32.dll!NotifyWinEvent + 6AE 76C6D63C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]} ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[3060] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: webio.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[3060] USER32.dll!NotifyWinEvent + 6AE 76C6D63C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]} ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\tdx \Device\Tcp kl1.sys AttachedDevice \Driver\tdx \Device\Udp kl1.sys AttachedDevice \Driver\tdx \Device\RawIp kl1.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 916 ---- EOF - GMER 2.2 ----