GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-01 16:06:09 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Hitachi_HTS541612J9SA00 rev.SBDOC70P 111,79GB Running: qszgjhqt.exe; Driver: C:\DOCUME~1\1\USTAWI~1\Temp\uwtdypod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xB332DADC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xB32DD396] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xB332F79C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xB332FA84] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xB3330B3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0xB32F12C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xB3330076] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xB332F63C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xB32DACC0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xB32DC4A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xB32CD48C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xB332DC1E] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwEnumerateKey [0xBA219342] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwEnumerateValueKey [0xBA2193F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xB332D74A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xB32DB7F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xB32DBA50] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xB32F12E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xB332F178] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xB3330D6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xB332FD70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0xB32F12D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryIntervalProfile [0xB32F1310] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xB32DAAF4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xB32DC2B6] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwQueryValueKey [0xBA21922A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xB33307A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xB32DADD4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xB32DB446] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xB32DD59C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xB32DB64C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xB33304C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xB32DAF78] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xB32DB10E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xB32DB2AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xB32DD496] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xB3330628] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xB32CD8A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xB332DA82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xB32DBE74] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xB332F380] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xB3330364] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xB32CD8B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xB332F4E2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xB332FF70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xB3330E72] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xB3330BFC] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 25A8 80501E04 12 Bytes [4A, D7, 32, B3, F8, B7, 2D, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 275C 80501FB8 20 Bytes [C2, 04, 33, B3, 78, AF, 2D, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2818 80502074 12 Bytes [80, F3, 32, B3, 64, 03, 33, ...] {XOR BL, 0x32; MOV BL, 0x64; ADD ESI, [EBX]; MOV BL, 0xb8; FSUBR DWORD [EBX+ESI*4]} ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1404] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6B731ED6 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1404] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1404] USER32.dll!AlignRects 7E362978 4 Bytes [0B, 26, 73, 6B] {OR ESP, [ESI]; JAE 0x6f} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1404] USER32.dll!AlignRects 7E362A78 4 Bytes [1B, 2F, 73, 6B] {SBB EBP, [EDI]; JAE 0x6f} ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1404] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\Explorer.EXE[1980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\Explorer.EXE[1980] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\Explorer.EXE[1980] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1980] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\Explorer.EXE[1980] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\Explorer.EXE[1980] WS2_32.dll!WSALookupServiceBeginW 023E35EF 6 Bytes JMP 7169000A .text C:\WINDOWS\Explorer.EXE[1980] WS2_32.dll!connect 023E4A07 6 Bytes JMP 7172000A .text C:\WINDOWS\Explorer.EXE[1980] WS2_32.dll!listen 023E8CD3 6 Bytes JMP 716F000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 71] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [6E, 71] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!AlignRects 7E362978 4 Bytes [0B, 26, 73, 6B] {OR ESP, [ESI]; JAE 0x6f} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!AlignRects 7E362A78 4 Bytes [1B, 2F, 73, 6B] {SBB EBP, [EDI]; JAE 0x6f} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 718D000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 7193000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 7190000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!SendInput + 4 7E37F144 2 Bytes [98, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 7196000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 719F000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 719C000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7187000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7184000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] WS2_32.dll!WSALookupServiceBeginW 71A535EF 6 Bytes JMP 71A2000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] WS2_32.dll!connect 71A54A07 6 Bytes JMP 71AB000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe[2364] WS2_32.dll!listen 71A58CD3 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\ctfmon.exe[3440] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\ctfmon.exe[3440] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\ctfmon.exe[3440] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\ctfmon.exe[3440] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\klwtblfs.exe[3832] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text G:\qszgjhqt.exe[4016] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text G:\qszgjhqt.exe[4016] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text G:\qszgjhqt.exe[4016] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [7D, 71] {JGE 0x73} .text G:\qszgjhqt.exe[4016] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text G:\qszgjhqt.exe[4016] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text G:\qszgjhqt.exe[4016] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text G:\qszgjhqt.exe[4016] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text G:\qszgjhqt.exe[4016] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text G:\qszgjhqt.exe[4016] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text G:\qszgjhqt.exe[4016] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text G:\qszgjhqt.exe[4016] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text G:\qszgjhqt.exe[4016] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text G:\qszgjhqt.exe[4016] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A ---- Devices - GMER 2.1 ---- Device Ntfs.sys Device Fastfat.SYS AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys Device mrxsmb.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@LastProcessedRevision 16006374 ---- EOF - GMER 2.1 ----