GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-04 19:58:11 Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548060M9AT00 rev.MGBOA56A 55,89GB Running: zpoo0cm2.exe; Driver: C:\DOCUME~1\Krzysiek\LOCALS~1\Temp\kfayrpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xEFB32A7E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xEFACE40C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0xEFAE55F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xEFACE984] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xEFACE86A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0xEFAE591E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xEFB34A80] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xEFB34C9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xEFB35BC2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xEFACEAA4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0xEFAF5AE0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xEFB351C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0xEFAE59EC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xEFB34926] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteKey [0xEFADF674] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeleteValueKey [0xEFAE0E5C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xEFACE450] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xEFB32BC0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xEFAE0668] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xEFAE0FFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xEFB32828] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey [0xEFAE01AC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadKey2 [0xEFAE0404] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xEFAF5AF0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0xEFAE3DB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xEFACEA1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xEFACE8FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xEFB34466] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xEFB35E6E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xEFACEB3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xEFB34EBC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryIntervalProfile [0xEFAF5B20] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xEFADF4A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xEFAE0C6A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xEFAE3FBE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xEFAE0A5E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xEFB3586E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRenameKey [0xEFADF788] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplaceKey [0xEFADFDFA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xEFAE5C2C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xEFAE5ABA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xEFAE5B70] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0xEFAE5C9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRestoreKey [0xEFAE0000] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeProcess [0xEFAF5B30] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xEFB35598] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xEFADF92C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xEFADFAC2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xEFADFC5E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xEFAE5786] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xEFB356F6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xEFACEBC4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xEFB32932] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetValueKey [0xEFAE0828] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xEFB3466E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xEFB35440] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xEFACEBD6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xEFB347CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xEFB350BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xEFB35FD6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xEFB35D00] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys EF4E516D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys EF4E4FC2 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + FB 804E2DCC 4 Bytes CALL 8F5C1D7D .text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [1E, 59, AE, EF, 80, 4A, B3, ...] {PUSH DS; POP ECX; SCASB ; OUT DX, EAX; OR BYTE [EDX-0x4d], 0xef; PUSHF ; DEC ESP; MOV BL, 0xef} .text ntoskrnl.exe!_abnormal_termination + 117 804E2DE8 16 Bytes [C2, 5B, B3, EF, A4, EA, AC, ...] {RET 0xb35b; OUT DX, EAX; MOVSB ; JMP FAR 0xefaf:0x5ae0efac; RCL BYTE [ECX-0x4d], 0xef} .text ntoskrnl.exe!_abnormal_termination + 1D3 804E2EA4 12 Bytes [28, 28, B3, EF, AC, 01, AE, ...] {SUB [EAX], CH; MOV BL, 0xef; LODSB ; ADD [ESI-0x51fbfb11], EBP; OUT DX, EAX} .text ntoskrnl.exe!_abnormal_termination + 217 804E2EE8 4 Bytes [1A, EA, AC, EF] {SBB CH, DL; LODSB ; OUT DX, EAX} .text ... .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xEEF7B400, 0x82482, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEF01B420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEF01B420] .protect˙˙˙˙hardlockunknown last code section [0xEF01B200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xEF01B200, 0x5105, 0xE0000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[520] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[520] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 6CA4209E C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[520] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[520] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[520] USER32.dll!VRipOutput 77D42A78 4 Bytes [BB, 30, A4, 6C] ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1300] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 6CA4209E C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1300] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1300] C:\WINDOWS\system32\ole32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1300] USER32.dll!VRipOutput 77D42A78 4 Bytes [BB, 30, A4, 6C] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys Device mrxsmb.sys Device Fastfat.SYS AttachedDevice fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 2.1 ----