Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi. I see 46823384.sys on GMER log. Is that a problem? Thanks.


  • This topic is locked This topic is locked
4 replies to this topic

#1 data23

data23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 23 January 2014 - 05:34 AM

Hi my computer had like 5 or more viruses in it so I reformmated the hard drive and reinstalled windows xp. I have Kaspersky and MBAM and it found nothing, I ran GMER and saw a strange file 46823384.sys in devices section and kernel code section. Dont know if this is a rootkit. Thanks for your help.

 

 Here is my log:  

 

GMER 2.1.19355 -

Rootkit scan 2014-01-23 01:58:47
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c ST340014A rev.8.01 37.27GB
Running: gmer.exe; Driver: C:\DOCUME~1\z\LOCALS~1\Temp\awrcyfow.sys

---- System - GMER 2.1 ----

SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                    ZwAdjustPrivilegesToken [0xA8A0EA14]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwClose [0xA89AA3D2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwConnectPort [0xA89C1560]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateEvent [0xA89AA94A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateMutant [0xA89AA830]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreatePort [0xA89C1886]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateProcess [0xA8A109AE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateProcessEx [0xA8A10BCA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateSection [0xA8A11A8E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateSemaphore [0xA89AAA6A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateThread [0xA8A1108E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwCreateWaitablePort [0xA89C1954]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwDebugActiveProcess [0xA8A10854]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwDeleteKey [0xA89BB5E6]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwDeleteValueKey [0xA89BCDCE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwDeviceIoControlFile [0xA89AA416]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwDuplicateObject [0xA8A0EB56]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwEnumerateKey [0xA89BC5DA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                           ZwEnumerateValueKey [0xA89BCF6E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwLoadDriver [0xA8A0E7BE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwLoadKey [0xA89BC11E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwLoadKey2 [0xA89BC376]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwMapViewOfSection [0xA8A11886]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwNotifyChangeKey [0xA89BFD22]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwOpenEvent [0xA89AA9E0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwOpenMutant [0xA89AA8C0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwOpenProcess [0xA8A103FC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwOpenSection [0xA8A11D3A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwOpenSemaphore [0xA89AAB00]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwOpenThread [0xA8A10DEA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwQueryKey [0xA89BB41A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                     ZwQueryMultipleValueKey [0xA89BCBDC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwQueryObject [0xA89BFF30]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwQueryValueKey [0xA89BC9D0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwQueueApcThread [0xA8A1173A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwRenameKey [0xA89BB6FA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwReplaceKey [0xA89BBD6C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwReplyPort [0xA89C1B94]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                        ZwReplyWaitReceivePort [0xA89C1A22]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                    ZwReplyWaitReceivePortEx [0xA89C1AD8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                     ZwRequestWaitReplyPort [0xA89C1C04]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwRestoreKey [0xA89BBF72]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwResumeThread [0xA8A11464]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSaveKey [0xA89BB89E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSaveKeyEx [0xA89BBA34]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSaveMergedKeys [0xA89BBBD0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSecureConnectPort [0xA89C16EE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSetContextThread [0xA8A115C2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                       ZwSetInformationToken [0xA89AAB8A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                      ZwSetSystemInformation [0xA8A0E8C8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSetValueKey [0xA89BC79A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSuspendProcess [0xA8A1059C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwSuspendThread [0xA8A1130C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                       ZwSystemDebugControl [0xA89AAB9C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwTerminateProcess [0xA8A106FC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwTerminateThread [0xA8A10F8A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                     ZwUnmapViewOfSection [0xA8A11EA2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys                                                             ZwWriteVirtualMemory [0xA8A11BCC]

 

 

---- Kernel code sections - GMER 2.1 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2CB4                                                              8050459C 4 Bytes  [14, EA, A0, A8]
.text           ntkrnlpa.exe!ZwCallbackReturn + 2E0C                  805046F4 12 Bytes  [BE, E7, A0, A8, 1E, C1, 9B, ...] {MOV ESI, 0x1ea8a0e7; RCR DWORD [EBX-0x643c8958], 0xa8}
.text           ntkrnlpa.exe!ZwCallbackReturn + 2E88                                                              80504770 4 Bytes  [EA, 0D, A1, A8]
.text           ntkrnlpa.exe!ZwCallbackReturn + 2F88                                            80504870 20 Bytes  [FA, B6, 9B, A8, 6C, BD, 9B, ...]
.text           ntkrnlpa.exe!ZwCallbackReturn + 2FC0                                         805048A8 20 Bytes  [64, 14, A1, A8, 9E, B8, 9B, ...]
.text           ...                                                                                              
?               46823384.sys                                                                                      The system cannot find the file specified. !
?               C:\WINDOWS\system32\Drivers\PROCEXP152.SYS                   The system cannot find the file specified. !

 

 

 

---- User code sections - GMER 2.1 ----

?               C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[752] C:\WINDOWS\system32\ntdll.dll      time/date stamp mismatch;
.text           C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[752] ntdll.dll!NtProtectVirtualMemory   7C90D6EE 5 Bytes  JMP 6CBA2066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll
?               C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[752] C:\WINDOWS\system32\kernel32.dll   time/date stamp mismatch;
?               C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[752] C:\WINDOWS\system32\ole32.dll      time/date stamp mismatch;
.text           C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[752] USER32.dll!AlignRects              7E412A78 4 Bytes  [83, 30, BA, 6C] {XOR DWORD [EAX], -0x46; INS BYTE [ES:EDI], DX}
?               C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1620] C:\WINDOWS\system32\ntdll.dll     time/date stamp mismatch;
.text           C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1620] ntdll.dll!NtProtectVirtualMemory  7C90D6EE 5 Bytes  JMP 6CBA2066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll
?               C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1620] C:\WINDOWS\system32\kernel32.dll  time/date stamp mismatch;
?               C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1620] C:\WINDOWS\system32\ole32.dll     time/date stamp mismatch;
.text           C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1620] USER32.dll!AlignRects             7E412A78 4 Bytes  [83, 30, BA, 6C] {XOR DWORD [EAX], -0x46; INS BYTE [ES:EDI], DX}

 

 

 

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                          kltdi.sys

Device          \Driver\00001416 \Device\KLMD12112013_02100002                                                    46823384.sys

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                         kltdi.sys

Device          \FileSystem\33290121 \Device\KLMD12112013_02100002_B                                              46823384.sys

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                         kltdi.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                       kltdi.sys

---- EOF - GMER 2.1 ----


Edited by data23, 23 January 2014 - 05:51 AM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 25 January 2014 - 09:00 PM

Hi,

 

this driver most likely belongs to Kaspersky.

How is your computer running? Do you experience any suspicous symptoms?



#3 data23

data23
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 26 January 2014 - 01:39 PM

Hi thanks so much for the reply.  Yeah  I did some research and the klif.sys file is part of kaspersky. I hope that 46823384.sys is part of Kaspersky as well.  When I ran Gmer I unplugged the network cable and turned off Kaspersky and Malwarebytes as I heard this gives more accurate results.  Also Kaspersky blocks Gmer & DDS from running in the first place.

 

I have bad news though. After running Gmer I turned on Kaspersky and Malwarebytes and plugged network cable back in and the bad news is that now my sound is very distorted and my internet is slowed down. Have you heard of this happening to other people that ran Gmer. I did some research and found out that when some people ran Gmer on their machines their computers died or got the BSOD. Additionally I looked at Process Explorer to see what was causing my computer to be so slow and the only difference I noticed from before I ran Gmer was that the "interrupts" was using a lot of CPU like 20%.

 

Before I ran Gmer my machine was working fine but I wanted to make sure it had no viruses.So now my sound is very distorted on Youtube and my computer has slowed. Is gmer incompatible with some computers and that is why this happened to me and others? Or is this a sign of malware interacting with gmer?? Should I reinstall Windows XP? Thanks so much for your help.  


Edited by data23, 26 January 2014 - 06:12 PM.


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 27 January 2014 - 08:30 AM

Hi,

After running Gmer I turned on Kaspersky and Malwarebytes and plugged network cable back in and the bad news is that now my sound is very distorted and my internet is slowed down. Have you heard of this happening to other people that ran Gmer.

Yes I indeed have heard of this before and (you're pretty lucky :wink:) we've found the reason for it.
(edit: This problem is not related to malware - don't worry. It is caused by gmer.)

So we need to read out some information first to be able to fix it afterwards:
  • Click on the Start then Run...
  • Type notepad in the box and press Enter or OK.
  • Copy and paste the entire text below into the blank notepad document:
    >checkDMA.txt 2>&1 (
    reg query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0"
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}" /s
    )
    notepad checkDMA.txt
    
  • Click on File > Save As... to save the file to your desktop.
  • In the File Name box, type in Reglook.bat.
  • Press Save, then Close Notepad.
  • Double click Reglook.bat on your desktop.
  • When complete a log file will pop up, and a copy will be saved to your desktop as checkDMA.txt, please post it in your next reply.

Edited by aharonov, 27 January 2014 - 08:33 AM.


#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 27 February 2014 - 03:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users