GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-01-13 20:56:58 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SV0411N rev.UA100-08 Running: t7u8xwcp.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\axldypow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF58DE224] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF58DE7F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF58E0234] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF58DFBE6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xF58DD99A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF58E1BC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF58DE5F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF58DDDDC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF58DDFDC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF58DFEF6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF58E20CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF58DE0F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF58DE15A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF58DFDA8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF58E166A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF58DFA42] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xF58DDAFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF58DE3FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF58E1BF0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xF58DE348] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF58DE1C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF58DDEC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF58DDCA4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF58E18D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF58DD61C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF58E0ABE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF58DD77E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF58E1FA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF58DD41A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF58E00D6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF58DE6F6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF58E1764] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF58E1C1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF58DDB52] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF58E1CFE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF58E1E2A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF58E1596] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF58DE4C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF58DE53A] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [FE, 1C, 8E, F5, 2A, 1E, 8E, ...] .text ntoskrnl.exe!IoIsOperationSynchronous 804E875A 5 Bytes JMP F58F5C2E \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) .text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512919 5 Bytes JMP F58F5874 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6CDF360, 0x24BB1D, 0xE8000020] .text mrxsmb.sys F5738300 1 Byte [80] .text mrxsmb.sys F5738300 271 Bytes [80, 00, 00, 00, 00, 84, 06, ...] .text mrxsmb.sys F5738410 356 Bytes [64, 80, 75, F5, 57, 8B, CE, ...] .text mrxsmb.sys F5738575 252 Bytes [04, 8B, 30, 89, 70, 08, 83, ...] .text mrxsmb.sys F5738672 319 Bytes [00, 00, C6, 05, 89, 80, 75, ...] .text ... .INIT C:\WINDOWS\System32\DRIVERS\mrxsmb.sys entry point in ".INIT" section [0xF5746022] ? C:\WINDOWS\System32\DRIVERS\mrxsmb.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\explorer.exe[1784] SHELL32.dll!StrStrW 7C9CFA48 4 Bytes [60, 08, 40, 7E] {PUSHA ; OR [EAX+0x7e], AL} ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F714EDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!RtlGetGroupSecurityDescriptor] FAE9FFFF IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoFreeIrp] C7FFFFC8 IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!InterlockedExchangeAdd] 000DF445 IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!PsReturnPoolQuota] 1AE9C000 IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!ExAllocatePoolWithTagPriority] 8BFFFFC9 IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!PsChargeProcessPoolQuota] 4E8B1446 IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!RtlCopyUnicodeString] 89018918 IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Udfs.SYS[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F714EDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F714ED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) F78EF000-F78FE000 (61440 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:716] 833F4540 ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\LocalService\Cookies\system@plus.google[3].txt 99 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\S4L7YR9S\blogger-simple-kahki[1].gif 1772 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534 0 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\L 0 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\L\ziudplxi 456576 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\loader.tlb 2632 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U 0 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@00000001 45968 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@000000c0 3072 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@000000cb 3072 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@80000000 73728 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@800000c0 32768 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@800000cb 24064 bytes File C:\WINDOWS\$NtUninstallKB31631$\1241435534\U\@800000cf 31232 bytes File C:\WINDOWS\$NtUninstallKB31631$\3648194817 0 bytes ---- EOF - GMER 1.0.15 ----