GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-12 14:32:03 Windows 5.1.2600 Service Pack 2 Running: 1y91i0d5.exe; Driver: C:\DOKUME~1\Benedikt\LOKALE~1\Temp\ffgoipow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF294A36E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF294AA86] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xF294B60C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xF294BB40] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xF294AD78] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xF2949460] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xF294BA18] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xF2948D0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xF294B8D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xF294A102] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xF294BC72] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF294D40E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xF294A886] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xF294B976] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xF2949A20] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xF2949CF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xF294B21C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xF294D980] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xF2949E3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xF2949EE4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xF294B016] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xF294CEA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xF294943C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xF294944E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xF294A030] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xF294BBE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xF294AB08] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xF2949604] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xF294BAB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xF294A56E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xF294D438] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xF294BD14] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xF294A492] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xF2949F8E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xF2949BB6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xF29498BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xF294D128] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xF2949B34] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xF29490C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xF294C09E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xF294BF64] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xF294CC30] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xF2949224] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xF294D860] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xF2948EC4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xF294B312] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xF294A984] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xF294C5F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xF294CFA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xF294D4C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xF2949744] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xF294D5A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xF294D6D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xF294CDD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xF294A6EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xF294A63C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xF294A7C8] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous Code \??\C:\DOKUME~1\Benedikt\LOKALE~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C54 80503A08 16 Bytes [02, A1, 94, F2, 72, BC, 94, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D10 80503AC4 12 Bytes [A6, CE, 94, F2, 3C, 94, 94, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E8C 80503C40 16 Bytes [34, 9B, 94, F2, C2, 90, 94, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2F80 80503D34 12 Bytes [A6, D5, 94, F2, D2, D6, 94, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2F90 80503D44 8 Bytes JMP 3CF294A6 ? C:\DOKUME~1\Benedikt\LOKALE~1\Temp\catchme.sys Das System kann die angegebene Datei nicht finden. ! ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Das System kann die angegebene Datei nicht finden. ! ---- User code sections - GMER 1.0.15 ---- ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[3336] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[3336] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll .text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[3336] USER32.dll!VRipOutput + FFFA4DE7 7E362A78 4 Bytes [70, 11, 32, 6D] ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[4008] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[4008] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll .text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[4008] USER32.dll!VRipOutput + FFFA4DE7 7E362A78 4 Bytes [70, 11, 32, 6D] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6E267B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6E267B0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOSAFEERASE02.00.00.01MSWINDOWS 491ED8103322665F7C41C589A5BBA766B80E7DA4CB3E21AEF8423756DEBD79B48EA3EB6B5FF7A09D123C8DCBCEC09970D66DDB8FF038CC88F852BD6197D4746577EB33B6113D0DC7DEA3D1CF0FEAE022039E5212B12B9B49C8593425935FEE100399E5EEEF9BCE16DBB18851D58AB37E4E8EB744692BF0653218F13732D41E33D3E2FD46870F8B322430EC3EF74047FEEDBDA9F154A0B74321E6165F3D01BEC330953921C6EB6FBD78017F382E055990BAC2871A1545DB3AA92F8099DC070AA7040F1A9A815627CCBB98821713212915B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67949DB7CE019D40AA5C8EDD5E5BE2F6E6670B2E47B4D05D23233A4A7CD9E2BEE68D0E0298B2EA188A971ACC162A215A62BEEA0AC76F7D8C175B057FDDE9DECF8F5C3769BA3E81F6AA15B894955BCAB0CC9599917222E1B53F918771611594975CE15A91191B1294050B727E5854F479F8D76FE018F81A20E6822EF9944DC66F647396B51F272676A108BC46447B0F0F79ECD753BD821915CE0E7939396D8EB2B689A1576CA39AAA783CA46EF79AD64ED5E1D18D9E332565A839FB93C6AFD43F543F463BD3369BC2787E45BA4260E29908637073A662D6621FA95F2D673658F9B0586067DC68B0520449D235A8DF9A568 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION B388F9922162368C79F3C0DD97991FECB2B3DAD478ECFE17CE9BC2172E2F9EEFEFCDA57B10B7C79A9885601A4A40B5C13D0B4F638450C27E941FE34EE93DED4D46099792F43BAF8A62A6A5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67948EDD5E5BE2F6E667A6A0AC4980AC7933B71066E53704796DA267783EF60A47E983CA33073961257388A8CF88C9AB9B3010F83B79FC821C94DE8B2A53B3EB1B9E6BAA32746AAAB4E2B989FC95DDCC65674307810FBB1DCED3753E596D6A540DEAB76317D4D3A7A0578AF63DB54D1E62CAACC8B554083789E35AC1E21696E9C574168BC0AF79E5E10681FD908F472F7BB9CBDB15AB5B09C872A6EA678E1B29F2D556CECF4147C377144ABB367BDEE69F08C3F5A32B101B8C9F17A2C9493C60441CF0E928F98B79E09D33E437878B7FC2FD5E5E289F674CD6800DE632EEA3346E497E307300F60DA5B0AF405C742A865A5886F2AE858551AF1E8DC80FD95F1DA9D43D869FAB22DC4ED0D5A933B8775C61464CA20590742FA476C16D8D1A60E6B3A60F695E070798E974628F8E7E9838D5EC63F2BF251EC24379F48D24F3FBB04D1F79E4A2D403C50908B175852215A3BCE2A4FAB46055389F0C1AF6895CEB6DB90EA71CA709593C416949F3F034577C19358A6601904 ---- EOF - GMER 1.0.15 ----