GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-08 07:50:33 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 KINGSTON rev.541A 111,79GB Running: c681ohyi.exe; Driver: C:\DOCUME~1\ja\USTAWI~1\Temp\pwtoaaog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xA2C4DA96] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xA2BE940C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xA2C005F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xA2BE9984] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xA2BE986A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0xA2C0091E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xA2C4FA98] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xA2C4FCB4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xA2C50BDA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xA2BE9AA4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xA2C501D8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0xA2C009EC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xA2C4F93E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xA2BFA674] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xA2BFBE5C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xA2BE9450] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xA2C4DBD8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xA2BFB668] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xA2BFBFFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xA2C4D840] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xA2BFB1AC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xA2BFB404] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xA2C509D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0xA2BFEDB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xA2BE9A1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xA2BE98FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xA2C4F47E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xA2C50E86] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xA2BE9B3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xA2C4FED4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xA2BFA4A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xA2BFBC6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xA2BFEFBE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xA2BFBA5E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xA2C50886] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xA2BFA788] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xA2BFADFA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xA2C00C2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xA2C00ABA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xA2C00B70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xA2C00C9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xA2BFB000] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xA2C505B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xA2BFA92C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xA2BFAAC2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xA2BFAC5E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xA2C00786] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xA2C5070E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xA2BE9BC4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xA2C4D94A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xA2BFB828] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xA2C4F686] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xA2C50458] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xA2BE9BD6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xA2C4F7E6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xA2C500D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xA2C50FEE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xA2C50D18] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D40 80504628 12 Bytes [1E, 09, C0, A2, 98, FA, C4, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E0C 805046F4 12 Bytes [40, D8, C4, A2, AC, B1, BF, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 20 Bytes [88, A7, BF, A2, FA, AD, BF, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC0 805048A8 20 Bytes [B0, 05, C5, A2, 2C, A9, BF, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [86, F6, C4, A2, 58, 04, C5, ...] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CBA2066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1884] USER32.dll!AlignRects 7E362A78 4 Bytes [83, 30, BA, 6C] {XOR DWORD [EAX], -0x46; INS BYTE [ES:EDI], DX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01869AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0184C434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0184C150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0184C330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 0226F60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0186A9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 0226F5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10001F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 02194AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 2 Bytes JMP 02194AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] kernel32.dll!MapViewOfFileEx + 6D 7C80B9A3 4 Bytes [98, 85, EB, F9] {CWDE ; TEST EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 018663D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 02194A21 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2940] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0208B991 C:\Program Files\Mozilla Firefox\xul.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[3976] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[3976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6CBA2066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[3976] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[3976] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[3976] USER32.dll!AlignRects 7E362A78 4 Bytes [83, 30, BA, 6C] {XOR DWORD [EAX], -0x46; INS BYTE [ES:EDI], DX} ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x61 0x99 0xEF 0x62 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0x19 0x08 0xBA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x39 0x88 0x8B 0x68 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----