GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-02-03 23:13:43 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF780F87E] SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwSetInformationProcess [0xEEFE6BF9] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF780FC10] ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3180] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation) .text C:\Program Files\MySpace\IM\MySpaceIM.exe[3464] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes [ 33, C0, C2, 04, 00 ] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6072] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider) AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.) AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB) Device \Driver\prodrv06 \Device\ProDrv06 E1CE1C30 Device \Driver\prohlp02 \Device\ProHlp02 E1022090 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\81EF3A37EA2C79F4DBF6451563C5E1D1\Usage@Core 977470846 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\AE874661710A0C34EB245706DBA546B6\Usage@Core 977482593 Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{B8940ED3-ABCA-97BB-B41D-D42151608BE1} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{B96C9926-FDE6-9417-9961-F5126D28ED2C} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{BB4F3B07-571D-10F4-CF33-951129413B18} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{BCF3EB17-E33F-4F62-6D93-5EA2311BF4B2} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{BD58DA92-96A3-E2C6-0F60-C5806AD75618} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{BEBABBFC-FA86-DF7D-F174-E21F85AAA913} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\Implemented Categories\{BFB924D1-2124-4689-66FF-9091CDADCDED} Reg HKLM\SOFTWARE\Classes\CLSID\{A994E9F3-3DBD-6738-6F6B-6C5F5C42DD08}\TypeLib@ {2573E1B7-096C-4C18-B7B7-7ABE4FFBC86E} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*@MRUList cbagefjidh Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*@h C:\Documents and Settings\Mark\My Documents\My Pictures\melb\n1487026661_153277_5219.jpg Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*@d C:\Documents and Settings\Mark\My Documents\My Pictures\melb\n1487026661_153279_5855.jpg Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore@Count 1719 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{320AF880-6646-11D3-ABEE-C5DBF3571F46}\iexplore@Count 894 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{320AF880-6646-11D3-ABEE-C5DBF3571F49}\iexplore@Count 894 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53707962-6F74-2D53-2644-206D7942484F}\iexplore@Count 23186 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724D43A0-0D85-11D4-9908-00400523E39A}\iexplore@Count 1046 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724D43A9-0D85-11D4-9908-00400523E39A}\iexplore@Count 993 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724D43AA-0D85-11D4-9908-00400523E39A}\iexplore@Count 894 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Count 20040 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7E853D72-626A-48EC-A868-BA8D5E23E045}\iexplore@Count 18029 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore@Count 18030 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 1545 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\iexplore@Count 10087 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore@Count 20531 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore@Count 1545 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore@Count 20606 ---- EOF - GMER 1.0.14 ----