GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-09 13:54:59 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3120022A rev.3.06 111.79GB Running: e1t1t79o[1].exe; Driver: C:\DOCUME~1\Betty\USTAWI~1\Temp\kwdyqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAdjustPrivilegesToken [0xB3F4E090] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwConnectPort [0xB3F4E040] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateProcess [0xB3F4E020] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateProcessEx [0xB3F4E030] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSection [0xB3F4E000] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSymbolicLinkObject [0xB3F4E180] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThread [0xB3F4E0E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDebugActiveProcess [0xB3F4E120] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeleteKey [0xB3F4E270] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeleteValueKey [0xB3F4E290] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeviceIoControlFile [0xB3F4E2E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDuplicateObject [0xB3F4E150] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwEnumerateKey [0xB3F4E2A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwEnumerateValueKey [0xB3F4E2B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadDriver [0xB3F4E130] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadKey [0xB3F4E230] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadKey2 [0xB3F4E240] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwMapViewOfSection [0xB3F4E160] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenProcess [0xB3F4E070] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenSection [0xB3F4E060] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenThread [0xB3F4E080] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwPlugPlayControl [0xB3F4E190] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwProtectVirtualMemory [0xB3F4E0A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryIntervalProfile [0xB3F4E580] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryKey [0xB3F4E2C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryMultipleValueKey [0xB3F4E280] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryValueKey [0xB3F4E260] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueueApcThread [0xB3F4E100] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRenameKey [0xB3F4E2D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwReplaceKey [0xB3F4E220] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRequestWaitReplyPort [0xB3F4E1D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRestoreKey [0xB3F4E210] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeProcess [0xB3F4E5A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeThread [0xB3F4E1A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveKey [0xB3F4E1E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveKeyEx [0xB3F4E1F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveMergedKeys [0xB3F4E200] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSecureConnectPort [0xB3F4E050] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetContextThread [0xB3F4E0F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationToken [0xB3F4E010] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetSystemInformation [0xB3F4E140] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetValueKey [0xB3F4E250] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendProcess [0xB3F4E1C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendThread [0xB3F4E1B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSystemDebugControl [0xB3F4E110] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateProcess [0xB3F4E0B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateThread [0xB3F4E0C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwUnmapViewOfSection [0xB3F4E170] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwWriteVirtualMemory [0xB3F4E0D0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2E0C 805046F4 12 Bytes [30, E1, F4, B3, 30, E2, F4, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 805048A0 28 Bytes [10, E2, F4, B3, A0, E5, F4, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [C0, E1, F4, B3, B0, E1, F4, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6A5F3C0, 0x84E2FA, 0xE8000020] init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB40CE280] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe[512] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe[512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6A972DF0 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe[512] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe[512] C:\WINDOWS\system32\ADVAPI32.dll time/date stamp mismatch; unknown module: WINTRUST.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe[512] USER32.dll!AlignRects 7E362978 4 Bytes [80, 40, 97, 6A] {ADD BYTE [EAX-0x69], 0x6a} .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe[512] USER32.dll!AlignRects 7E362A78 4 Bytes [30, 40, 97, 6A] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B99 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1CD C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC80 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[636] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7CFF C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B99 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1CD C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC80 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[880] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7CFF C:\WINDOWS\system32\IEFRAME.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] C:\WINDOWS\system32\user32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!AlignRects 7E362978 4 Bytes [80, 40, 97, 6A] {ADD BYTE [EAX-0x69], 0x6a} .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!AlignRects 7E362A78 4 Bytes [30, 40, 97, 6A] .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!MoveWindow + A3 7E37B341 4 Bytes JMP 6A974E50 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!UnhookWinEvent + 25 7E3818D1 4 Bytes JMP 6A974DD0 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!SetMenu + 1B 7E39F411 2 Bytes JMP 6A974950 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!SetMenu + 1E 7E39F414 1 Byte [5D] .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!GetRawInputDeviceInfoW + 10 7E3A6568 4 Bytes JMP 6A9749E0 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!GetRawInputDeviceInfoW + 68 7E3A65C0 4 Bytes JMP 6A974C20 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe[2568] user32.dll!GetRawInputDeviceInfoA + C1 7E3BAFCE 4 Bytes JMP 6A974B90 C:\Program Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\ushata.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4060] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----