GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-20 15:12:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950056 rev.SD24 465,76GB Running: cffn59ef.exe; Driver: C:\Users\Misa\AppData\Local\Temp\kftciaog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800037f1000 65 bytes [00, 00, 04, 02, 53, 63, 4C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800037f1042 2 bytes [01, 00] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000774dfaa8 5 bytes JMP 00000001716d18dd .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774e0038 5 bytes JMP 00000001716d1ed6 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Windows\AsScrPro.exe[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Windows\AsScrPro.exe[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074e413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074e4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074e416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074e416e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074e419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074e419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074e41a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074e41a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074e41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6136] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074e41a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074e413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074e4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074e416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074e416e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074e419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074e419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074e41a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074e41a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074e41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe[2596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074e41a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074e413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074e4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074e416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074e416e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074e419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074e419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074e41a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074e41a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074e41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\emule\emule.exe[960] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074e41a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000772e11f5 8 bytes {JMP 0xd} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 00000000772e1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000772e143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 00000000772e158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000772e191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 00000000772e1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 00000000772e1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000772e1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 00000000772e1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000772e1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 00000000772e1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 00000000772e1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 00000000772e1fd7 8 bytes {JMP 0xb} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 00000000772e2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 00000000772e2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 00000000772e2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000772e27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000772e27d2 8 bytes {JMP 0x10} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 00000000772e282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 00000000772e2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 00000000772e2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 00000000772e2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 00000000772e3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 00000000772e323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000772e33c0 16 bytes {JMP 0x4e} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 00000000772e3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 00000000772e3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000772e3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 00000000772e3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 00000000772e4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077331380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077331500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077331530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077331650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077331700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077331d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077331f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773327e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074e413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074e4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074e416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074e416e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074e419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074e419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074e41a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074e41a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074e41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misa\Desktop\programy fix\cffn59ef.exe[6108] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074e41a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004d11fb0] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevision 179247480 ---- EOF - GMER 2.1 ----