Can't download/install/run any anti virus...

**sgregg3** · 2007-01-10, 21:44

This is (#1) of (3) posts...

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-10 14:41:25
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 2 Bytes JMP EF9D4D70 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!KiDispatchInterrupt + BD 804DB931 4 Bytes [ 4F, 6F, 90, 90 ]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP EF9D2000 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!ZwYieldExecution 804FB0F3 7 Bytes JMP EF1052FD \SystemRoot\system32\drivers\mfehidk.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FBE09 5 Bytes JMP EF9D1B70 \??\C:\WINDOWS\system32\drivers\klif.sys
PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP EF10522B \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP EF10523F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP EF1052BF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP EF105329 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP EF105313 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP EF1052D3 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP EF105295 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP EF10527F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP EF105253 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D02D 7 Bytes JMP EF105269 \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0026000A
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0026007D
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0026006C
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F5C
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F6D
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600BD
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F30
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0026001B
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 002600A2
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0026002C
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00260FDB
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260F41
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00340FCA
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00340076
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00340025
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00340FEF
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0034005B
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00340FB9
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00340000
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00340040
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00360FEF
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00360000
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 0036001B
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 0036002C
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F70FEF
.text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WS2_32.dll!bind

Thread: Can't download/install/run any anti virus...

Thread Tools

Display

Threaded View

Posting Permissions