GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-09 14:41:19 Windows 5.1.2600 Service Pack 2 Running: 1y91i0d5.exe; Driver: C:\DOKUME~1\Benedikt\LOKALE~1\Temp\ffgoipow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF389336E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF3893A86] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xF389460C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xF3894B40] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xF3893D78] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xF3892460] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xF3894A18] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xF3891D0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xF38948D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xF3893102] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xF3894C72] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF389640E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xF3893886] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xF3894976] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xF3892A20] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xF3892CF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xF389421C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xF3896980] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xF3892E3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xF3892EE4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xF3894016] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xF3895EA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xF389243C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xF389244E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xF3893030] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xF3894BE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xF3893B08] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xF3892604] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xF3894AB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xF389356E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xF3896438] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xF3894D14] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xF3893492] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xF3892F8E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xF3892BB6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xF38928BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xF3896128] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xF3892B34] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xF38920C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xF389509E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xF3894F64] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xF3895C30] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xF3892224] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xF3896860] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xF3891EC4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xF3894312] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xF3893984] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xF38955F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xF3895FA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xF38964C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xF3892744] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xF38965A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xF38966D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xF3895DD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xF38936EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xF389363C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xF38937C8] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAE80 5 Bytes JMP F3888424 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntkrnlpa.exe!IoIsOperationSynchronous 804EF808 5 Bytes JMP F38887DE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntkrnlpa.exe!ZwCallbackReturn + 2C54 80503A08 16 Bytes [02, 31, 89, F3, 72, 4C, 89, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D10 80503AC4 12 Bytes [A6, 5E, 89, F3, 3C, 24, 89, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E8C 80503C40 13 Bytes [34, 2B, 89, F3, C2, 20, 89, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E9A 80503C4E 2 Bytes [89, F3] {MOV EBX, ESI} .text ntkrnlpa.exe!ZwCallbackReturn + 2F80 80503D34 12 Bytes [A6, 65, 89, F3, D2, 66, 89, ...] .text ... ---- User code sections - GMER 1.0.15 ---- ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1008] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1008] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll .text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1008] USER32.dll!VRipOutput + FFFA4DE7 7E362A78 4 Bytes [70, 11, 32, 6D] ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1988] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1988] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll .text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1988] USER32.dll!VRipOutput + FFFA4DE7 7E362A78 4 Bytes [70, 11, 32, 6D] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6DF07B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6DF07B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) Device \Driver\Cdrom \Device\CdRom0 86BDAB88 Device \Driver\Cdrom \Device\CdRom1 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) Device \Driver\Cdrom \Device\CdRom1 86BDAB88 Device \Driver\atapi \Device\Ide\IdePort0 86BDAF00 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86BDAF00 Device \Driver\atapi \Device\Ide\IdePort1 86BDAF00 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86BDAF00 AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\st3shark \Device\Scsi\st3shark1 86BD98F8 Device \Driver\st3shark \Device\Scsi\st3shark1Port2Path0Target0Lun0 86BD98F8 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) ---- Modules - GMER 1.0.15 ---- Module _________ F741E000-F7436000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOSAFEERASE02.00.00.01MSWINDOWS 491ED8103322665F7C41C589A5BBA766B80E7DA4CB3E21AEF8423756DEBD79B48EA3EB6B5FF7A09D123C8DCBCEC09970D66DDB8FF038CC88F852BD6197D4746577EB33B6113D0DC7DEA3D1CF0FEAE022039E5212B12B9B49C8593425935FEE100399E5EEEF9BCE16DBB18851D58AB37E4E8EB744692BF0653218F13732D41E33D3E2FD46870F8B322430EC3EF74047FEEDBDA9F154A0B74321E6165F3D01BEC330953921C6EB6FBD78017F382E055990BAC2871A1545DB3AA92F8099DC070AA7040F1A9A815627CCBB98821713212915B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67949DB7CE019D40AA5C8EDD5E5BE2F6E6670B2E47B4D05D23233A4A7CD9E2BEE68D0E0298B2EA188A971ACC162A215A62BEEA0AC76F7D8C175B057FDDE9DECF8F5C3769BA3E81F6AA15B894955BCAB0CC9599917222E1B53F918771611594975CE15A91191B1294050B727E5854F479F8D76FE018F81A20E6822EF9944DC66F647396B51F272676A108BC46447B0F0F79ECD753BD821915CE0E7939396D8EB2B689A1576CA39AAA783CA46EF79AD64ED5E1D18D9E332565A839FB93C6AFD43F543F463BD3369BC2787E45BA4260E29908637073A662D6621FA95F2D673658F9B0586067DC68B0520449D235A8DF9A568 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION B388F9922162368C79F3C0DD97991FECB2B3DAD478ECFE17CE9BC2172E2F9EEFEFCDA57B10B7C79A9885601A4A40B5C13D0B4F638450C27E941FE34EE93DED4D46099792F43BAF8A62A6A5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67948EDD5E5BE2F6E667A6A0AC4980AC7933B71066E53704796DA267783EF60A47E983CA33073961257388A8CF88C9AB9B3010F83B79FC821C94DE8B2A53B3EB1B9E6BAA32746AAAB4E2B989FC95DDCC65674307810FBB1DCED3753E596D6A540DEAB76317D4D3A7A0578AF63DB54D1E62CAACC8B554083789E35AC1E21696E9C574168BC0AF79E5E10681FD908F472F7BB9CBDB15AB5B09C872A6EA678E1B29F2D556CECF4147C377144ABB367BDEE69F08C3F5A32B101B8C9F17A2C9493C60441CF0E928F98B79E09D33E437878B7FC2FD5E5E289F674CD6800DE632EEA3346E497E307300F60DA5B0AF405C742A865A5886F2AE858551AF1E8DC80FD95F1DA9D43D869FAB22DC4ED0D5A933B8775C61464CA20590742FA476C16D8D1A60E6B3A60F695E070798E974628F8E7E9838D5EC63F2BF251EC24379F48D24F3FBB04D1F79E4A2D403C50908B175852215A3BCE2A4FAB46055389F0C1AF6895CEB6DB90EA71CA709593C416949F3F034577C19358A6601904 ---- EOF - GMER 1.0.15 ----