   AVZ  4.30
   9/26/2008 2:19:12 AM
 :  - 188654,  - 2,   - 56,   25.09.2008 21:07
  : 370
  : 9
    : 73357
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=082B80)
  ntoskrnl.exe      804D7000
   SDT = 80559B80
   KiST = 804E2D20 (284)
 NtAdjustPrivilegesToken (0B)  (80598539->AAF9681A),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtClose (19)  (805675D9->AAF96DC6),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtConnectPort (1F)  (80598C34->AAF9882A),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtCreateFile (25)  (8057164C->AAF981E0),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtCreateKey (29)  (8056F063->AAF95F90),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtCreateSymbolicLinkObject (34)  (805A27B0->AAF9A18C),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtCreateThread (35)  (8057F262->AAF96BC2),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtDeleteKey (3F)  (8059D6BD->AAF963D2),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtDeleteValueKey (41)  (80597430->AAF965D2),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtDeviceIoControlFile (42)  (8057FBD0->AAF984EC),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtDuplicateObject (44)  (805743BE->AAF9A698),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtEnumerateKey (47)  (8056F76A->AAF966E8),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtEnumerateValueKey (49)  (805801FE->AAF96750),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtFsControlFile (54)  (8057DA0D->AAF983A2),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtLoadDriver (61)  (805A6B26->AAF99C50),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtOpenFile (74)  (805715E7->AAF9803C),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtOpenKey (77)  (805684D5->AAF960F2),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtOpenProcess (7A)  (8057459E->AAF969E8),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtOpenSection (7D)  (805766CC->AAF9A1B6),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtOpenThread (80)  (80597C0A->AAF9693E),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtQueryKey (A0)  (8056F473->AAF967B8),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtQueryMultipleValueKey (A1)  (8064CF58->AAF964BC),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtQueryValueKey (B1)  (8056B9A8->AAF9629A),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtQueueApcThread (B4)  (80580A00->AAF99EB8),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtReplaceKey (C1)  (8064D892->AAF95C12),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtRequestWaitReplyPort (C8)  (8057860F->AAF990B4),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtRestoreKey (CC)  (8064C3B0->AAF95D74),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtResumeThread (CE)  (8057F8D5->AAF9A568),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSaveKey (CF)  (8064C457->AAF95A10),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSecureConnectPort (D2)  (80585D7D->AAF986CC),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSetContextThread (D5)  (8062C85B->AAF96CC0),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSetSecurityObject (ED)  (8059DB78->AAF99D4A),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSetSystemInformation (F0)  (805A5110->AAF9A1E0),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSetValueKey (F7)  (80575527->AAF96148),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSuspendProcess (FD)  (8062E431->AAF9A2C4),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSuspendThread (FE)  (805DC61B->AAF9A3F0),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtSystemDebugControl (FF)  (8064872D->AAF99B7C),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 NtTerminateProcess (101)  (8058AE1E->AAE72F20),  D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
 NtWriteVirtualMemory (115)  (8057C123->AAF96B04),  D:\WINDOWS\system32\DRIVERS\klif.sys,    
 FsRtlCheckLockForReadAccess (804FDAF1) -   .  JmpTo. jmp AAFAD01C \SystemRoot\system32\DRIVERS\klif.sys,    
 IoIsOperationSynchronous (804E8EBA) -   .  JmpTo. jmp AAFAD3D6 \SystemRoot\system32\DRIVERS\klif.sys,    
 : 284, : 39, : 0
1.3  IDT  SYSENTER
    1
>>>  -     [1].IDT[06] = [F64A116D] D:\WINDOWS\system32\drivers\Haspnt.sys,    
>>>  -     [1].IDT[0E] = [F64A0FC2] D:\WINDOWS\system32\drivers\Haspnt.sys,    
  IDT  SYSENTER 
1.4     
      
   
1.5   IRP
  
2.  
   : 36
 -   556 D:\WINDOWS\system32\PnkBstrA.exe
[ES]:   
[ES]:   ?!
[ES]:    
[ES]:   
 -   720 D:\WINDOWS\System32\TuneUpDefragService.exe
[ES]:    
[ES]:   
 -   2968 D:\Program Files\Razer\Habu\razerhid.exe
[ES]:   
[ES]:    
[ES]:   !!
 -   3096 D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[ES]:   
[ES]:    
[ES]:   !!
 -   2836 D:\Program Files\Razer\Habu\razerofa.exe
[ES]:    
 -   2840 D:\Program Files\iTunes\iTunesHelper.exe
[ES]:   
[ES]:    
[ES]:   !!
 -   3144 D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
[ES]:    
[ES]:   !!
 -   3256 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
[ES]:   
[ES]:    
 -   3356 D:\Program Files\Logitech\SetPoint\SetPoint.exe
[ES]:   
[ES]:    
[ES]:   !!
 -   3468 D:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
[ES]:    
 -   3808 D:\Program Files\iPod\bin\iPodService.exe
[ES]:    
 -   4044 D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
[ES]:   
   : 506
  
3.  
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll -->   Keylogger   DLL
D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll>>>   
      
D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll -->   Keylogger   DLL
D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll>>>   
      
D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll -->   Keylogger   DLL
D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll>>>   
  1.   : , ,  
D:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll>>> :    97.91%      /
 :     ,      (  FAQ), ..    DLL-
6.    TCP/UDP,   
   
7. c  
      AppInit_DLLs: "D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"
 
8.   
>> :     Schedule (Task Scheduler)
>> :     mnmsrvc (NetMeeting Remote Desktop Sharing)
>> :     RDSessMgr (Remote Desktop Help Session Manager)
> :   -           (,     ...)!
>> :       (C$, D$ ...)
>> :      
 
9.     
 >>     HDD
 
 : 543,   : 0,    0,  - 0
   9/26/2008 2:20:28 AM
  00:01:20
            ,
      - http://virusinfo.info
  
  
