GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-27 09:02:54 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BPVT-80HXZT3 rev.01.01A01 465,76GB Running: rdbfj5kv.exe; Driver: C:\Users\MG\AppData\Local\Temp\uglciaoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x89BCF6BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x89B82C02] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x89B82F4A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x89B83390] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x89B6B28C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x89B828DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x89B6B804] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x89B6B6EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x89B82DAE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x89BD2528] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x89B6B924] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0x89B92EF0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x89BD19BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x89BD1BFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x89BD1660] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x89B82E7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x89BD1506] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x89B6B2D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x89BCF7FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x89BCF464] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x89B92F10] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x89B8106C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x89B6B89A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x89B6B77A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x89BD10AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x89BD27D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x89B6B9BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x89BD1718] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0x89B92F00] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x89B6BA44] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x89B8127A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x89BD21D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x89B83174] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x89B83002] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x89B830B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x89B831E4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x89BD1EFE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x89B82A6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x89BD205C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x89B6BAE6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x89BCF56E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x89BD124E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x89BD1DA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x89B6BAF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x89BD13AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x89BD18B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x89BD293C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x89BD2666] Code 94A08BFC ZwTraceEvent Code 94A08BFB NtTraceEvent ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E4DA09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E871F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82E8E22C 4 Bytes [BA, F6, BC, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82E8E254 8 Bytes [02, 2C, B8, 89, 4A, 2F, B8, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82E8E298 4 Bytes [90, 33, B8, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82E8E2C4 4 Bytes [8C, B2, B6, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82E8E2E8 4 Bytes [DC, 28, B8, 89] .text ... .text ntkrnlpa.exe!NtTraceEvent 82ED7AD2 5 Bytes JMP 94A08C00 PAGE ntkrnlpa.exe!NtRequestPort + 2 8309179D 5 Bytes JMP 94A08CA0 .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91438000, 0x3AB5D5, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2356] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2356] ntdll.dll!NtProtectVirtualMemory 770D5F18 5 Bytes JMP 6E771A54 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2356] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2356] user32.dll!NotifyWinEvent + 6AE 763DD66C 4 Bytes [53, 2A, 77, 6E] {PUSH EBX; SUB DH, [EDI+0x6e]} ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2964] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2964] ntdll.dll!NtProtectVirtualMemory 770D5F18 5 Bytes JMP 6E771A54 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2964] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2964] user32.dll!NotifyWinEvent + 6AE 763DD66C 4 Bytes [53, 2A, 77, 6E] {PUSH EBX; SUB DH, [EDI+0x6e]} .text C:\Program Files\Mozilla Firefox\firefox.exe[4468] ntdll.dll!LdrGetProcedureAddress + 26 770F2239 7 Bytes JMP 5E639CF0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4468] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76E3941E 7 Bytes JMP 5EBE5408 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4468] kernel32.dll!QueryPerformanceCounter + 13 76E3C435 7 Bytes JMP 5EBE542B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4468] kernel32.dll!LoadAppInitDlls + 355 76E3F4F6 7 Bytes JMP 5E64369E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4468] GDI32.dll!GetViewportOrgEx + 26C 76AF884B 7 Bytes JMP 5EBE5389 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG15.00.00.01PROFESSIONAL AC5386C271C452D05DFEEED0D0796B5D56CA9B72D662FB10C64FDCF47C03BC7BB42747DB5F77E649BF356C4C8BA52BBF713818C5D237BFAE92AEA8A73064F717A58C6B8DBE94F1AFD93C92F44347CE3324FA3A383D517E825572745195EB97144EB76FFB4B0D44B63A88A91442983F1DDFE1B2D614D959447F67FA637ACD94A04113B89A44C4512033BD5F42D9CD0AF557F09700D76F9643458D59FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407FEBC9E127BECC74CBA7FD869164D6794FEBC9E127BECC74C2408F19E87B04101ED6EF5F4E8D0B81C05A813C2E6A83D8232CACB4E395E5EFD2D6B2C20EB75A5BC14B8FAC67BEB396036A4D439C66A5424AA9579B9CF01078CB7B18858C976CF2B11B0EFF57D2979F1D7C53FE276765893F997C38A0743C577D7C0F22A9202FABBBB6B2A1DB65433C72676B638333C1FEF632CB73230552D26F10646A04CA618BC41087281800251BA3424925349EDB23C7BB05C43ADA982E5C2EF55E710B9496520A609864903F50AE3BF1D739C00CF602E89A9777A774265D873E3510BD1E6CFAC6A9EB714747359EF4016FAA6AEE8A7B61C09A9A0BA98BC9506AAD07ECCFB780FFD59C276B0D3AC649D2FF0EF76A241A953DCD94131EAE0B0A55700BECAC8BFC10DD3789ADAD470215790809 ---- EOF - GMER 2.1 ----