 !!!  c   06.04.2008        (/ )
   AVZ  4.30
   03.07.2008 0:22:37
 :  - 157571,  - 2,   - 55,   06.04.2008 17:09
  : 370
  : 9
    : 70476
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
 kernel32.dll:GetProcAddress (409) ,  ProcAddressHijack.GetProcAddress ->7C80ADC0->7C883FEC
 kernel32.dll:LoadLibraryA (579) ,  ProcAddressHijack.GetProcAddress ->7C801D77->7C883F9C
 kernel32.dll:LoadLibraryExA (580) ,  ProcAddressHijack.GetProcAddress ->7C801D4F->7C883FB0
 kernel32.dll:LoadLibraryExW (581) ,  ProcAddressHijack.GetProcAddress ->7C801AF1->7C883FD8
 kernel32.dll:LoadLibraryW (582) ,  ProcAddressHijack.GetProcAddress ->7C80AE6B->7C883FC4
  IAT: LoadLibraryA - 7C883F9C<>7C801D77
  IAT: GetProcAddress - 7C883FEC<>7C80ADC0
  ntdll.dll,      .text
  user32.dll,      .text
 user32.dll:RegisterRawInputDevices (546) ,  ProcAddressHijack.GetProcAddress ->7E3BCD4C->7E400010
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=08A500)
  ntoskrnl.exe      804D7000
   SDT = 80561500
   KiST = 804E48B0 (284)
 NtClose (19)  (8056E9E9->ED5E7370),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtConnectPort (1F)  (805A8C64->ED5E5420),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateKey (29)  (80576D63->ED5D87A0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateProcess (2F)  (805C0020->ED5E70A0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateProcessEx (30)  (8058B3BC->ED5E7210),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateSection (32)  (8056CE25->ED5E7E70),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateSymbolicLinkObject (34)  (805A3FA8->ED5E7940),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateThread (35)  (8058559A->ED5E87B0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtDeleteKey (3F)  (80593B81->ED5D88A0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtDeleteValueKey (41)  (805927D8->ED5D8920),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtDuplicateObject (44)  (80580714->ED5E7510),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtEnumerateKey (47)  (80577ED8->ED5D89B0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtEnumerateValueKey (49)  (80587881->ED5D8A60),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtFlushKey (4F)  (805B3E35->ED5D8B10),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtInitializeRegistry (5C)  (805BA04D->ED5D8B90),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtLoadDriver (61)  (805B8BA9->ED5E4FD0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtLoadKey (62)  (805DF2F6->ED5D9590),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtLoadKey2 (63)  (805DF144->ED5D8BB0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtNotifyChangeKey (6F)  (805ADF1B->ED5D8C80),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtOpenFile (74)  (8057E674->F8218030),  D:\WINDOWS\system32\Drivers\kl1.sys
 NtOpenKey (77)  (80571CBC->ED5D8D60),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtOpenProcess (7A)  (80580BA8->ED5E6E90),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtOpenSection (7D)  (805792A3->ED5E7CA0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtQueryKey (A0)  (80577AD8->ED5D8E30),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtQueryMultipleValueKey (A1)  (80653FB8->ED5D8EE0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtQuerySystemInformation (AD)  (80584945->ED5E8460),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtQueryValueKey (B1)  (80572100->ED5D8F90),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtReplaceKey (C1)  (806548F2->ED5D9040),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtRequestWaitReplyPort (C8)  (805781A2->ED5E5A00),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtRestoreKey (CC)  (80653410->ED5D90D0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtResumeThread (CE)  (80585C11->ED5E8760),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSaveKey (CF)  (806534B7->ED5D92D0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSetContextThread (D5)  (8063406F->ED5E8AE0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSetInformationFile (E0)  (805833C8->ED5E90A0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSetInformationKey (E2)  (80653B1B->ED5D9360),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSetSecurityObject (ED)  (805A6E94->ED5E3C20),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSetSystemInformation (F0)  (805E5227->ED5E7B20),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSetValueKey (F7)  (80581732->ED5D9400),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSuspendThread (FE)  (80635D1B->ED5E8710),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtSystemDebugControl (FF)  (8064F45D->ED5E52E0),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtTerminateProcess (101)  (8058E281->ED5E8300),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtUnloadKey (107)  (806536E9->ED5D9550),  D:\WINDOWS\system32\drivers\klif.sys,    
 NtWriteVirtualMemory (115)  (805868D0->ED5E73D0),  D:\WINDOWS\system32\drivers\klif.sys,    
 FsRtlCheckLockForReadAccess (804F9AF4) -   .  JmpTo. jmp ED5E94C0 \??\D:\WINDOWS\system32\drivers\klif.sys,    
 IoAllocateIrp (804EAF7D) -   .   .,    15
 IoIsOperationSynchronous (804EAF8E) -   .  JmpTo. jmp ED5E99C0 \??\D:\WINDOWS\system32\drivers\klif.sys,    
 : 284, : 43, : 0
1.3  IDT  SYSENTER
    1
    2
  IDT  SYSENTER 
1.4     
   ,       AVZPM
   
1.5   IRP
\FileSystem\ntfs[IRP_MJ_CREATE] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_WRITE] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8236A1F8 ->   
\FileSystem\ntfs[IRP_MJ_PNP] = 8236A1F8 ->   
\FileSystem\FastFat[IRP_MJ_CREATE] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_CLOSE] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_WRITE] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_SET_EA] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 81D101F8 ->   
\FileSystem\FastFat[IRP_MJ_PNP] = 81D101F8 ->   
  
2.  
   : 37
 -   616 D:\WINDOWS\system32\drivers\CDAC11BA.EXE
[ES]:    
[ES]:   
 -   1396 D:\WINDOWS\system32\UAService7.exe
[ES]:    
[ES]:   
 -   1992 D:\Program Files\USB Disk Win98 Driver\Res.EXE
[ES]:    
[ES]:   !!
 -   1052 D:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
[ES]:   
[ES]:    
[ES]:   !!
[ES]: DLL RASAPI - ,     ?
 d:\program files\sony ericsson\sony ericsson pc suite\sepcsuite.exe     (comm.dll)
 -   1336 D:\Program Files\Winamp Remote\bin\OrbTray.exe
[ES]:   
[ES]:  TCP !
[ES]:    
[ES]:   !!
[ES]: DLL RASAPI - ,     ?
 -   2376 D:\WINDOWS\system32\wuauclt.exe
[ES]:   
[ES]:    
[ES]:   
   : 410
  
3.  
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
6.    TCP/UDP,   
   
7. c  
>>> D:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL :   Spy.MyWebSearch (  )
>>> D:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL :   Spy.MyWebSearch (  )
 
8.   
>> :     RemoteRegistry ( )
>> :     TermService ( )
>> :     SSDPSRV (  SSDP)
>> :     Schedule ( )
>> :     mnmsrvc (NetMeeting Remote Desktop Sharing)
>> :     RDSessMgr (      )
> :   -           (,     ...)!
>> :     CDROM
>> :       (C$, D$ ...)
>> :      
>> :     
 
9.     
 >>     HDD
 >>      
 >>      
 
 : 447,   : 0,    0,  - 0
   03.07.2008 0:23:33
  00:00:57
            ,
      - http://virusinfo.info
  
  
