GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-05 19:30:55 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\awldqfoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xF481CE26] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xF481D704] SSDT F8BE35DE ZwCreateKey SSDT F8BE35D4 ZwCreateThread SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xF481D864] SSDT F8BE35E3 ZwDeleteKey SSDT F8BE35ED ZwDeleteValueKey SSDT F8BE35F2 ZwLoadKey SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xF481D7C8] SSDT F8BE35C0 ZwOpenProcess SSDT F8BE35C5 ZwOpenThread SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xF481D28E] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xF4821190] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xF48210FA] SSDT F8BE35FC ZwReplaceKey SSDT F8BE35F7 ZwRestoreKey SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xF481CDCC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xF481D8C4] SSDT F8BE35E8 ZwSetValueKey SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xF481CD68] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xF481CCBC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xF481CD04] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2760 80501F98 4 Bytes CALL F948DDD2 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF708D360, 0x20469D, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[212] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 017879B0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[392] ntdll.dll!LdrLoadDll + 1 7C9163C4 5 Bytes [22, 00, 68, 71, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Internet Explorer\iexplore.exe[392] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 6 Bytes PUSH 71500022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71440022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!RegisterClassW 7E41A39A 6 Bytes PUSH 71560022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!DdeInitializeW 7E4206D7 6 Bytes PUSH 714A0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!RegisterClassA 7E42EA5E 6 Bytes PUSH 71610022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71470022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 71530022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 714D0022 .text C:\Program Files\Internet Explorer\iexplore.exe[392] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[392] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71030022 .text C:\Program Files\Internet Explorer\iexplore.exe[392] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 71070022 .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetCloseHandle 3D949088 6 Bytes PUSH 712C0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetQueryDataAvailable 3D94BF7F 6 Bytes PUSH 71170022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpAddRequestHeadersA 3D94CF46 6 Bytes PUSH 71410022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpOpenRequestA 3D94D508 6 Bytes PUSH 713E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetConnectA 3D94DEAE 6 Bytes PUSH 71290022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetConnectW 3D94F862 6 Bytes PUSH 71260022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpSendRequestW 3D94FABE 6 Bytes PUSH 712F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpOpenRequestW 3D94FBFB 6 Bytes PUSH 713B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetOpenA 3D95D690 6 Bytes PUSH 711D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetOpenW 3D95DB09 6 Bytes PUSH 711A0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetSetStatusCallback 3D95DCC8 6 Bytes PUSH 71110022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpSendRequestA 3D95EE89 6 Bytes PUSH 71380022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetReadFileExA 3D963381 6 Bytes PUSH 71140022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetGetCookieExA 3D964BD0 6 Bytes PUSH 71200022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetWriteFile 3D9A60F6 6 Bytes PUSH 710E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpSendRequestExA 3D9BA70A 6 Bytes PUSH 71350022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!HttpSendRequestExW 3D9BA763 6 Bytes PUSH 71320022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[392] WININET.dll!InternetGetCookieA 3D9BBDEC 6 Bytes PUSH 71230022; RET .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1124] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414A50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1124] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1124] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1124] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1312] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00438CE0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1312] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1312] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022 .text C:\Program Files\Internet Explorer\iexplore.exe[2684] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 02FE79B0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] ntdll.dll!LdrLoadDll + 1 7C9163C4 5 Bytes [22, 00, 68, 71, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[2684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Internet Explorer\iexplore.exe[2684] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 6 Bytes PUSH 714E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71420022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!RegisterClassW 7E41A39A 6 Bytes PUSH 71570022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!DdeInitializeW 7E4206D7 6 Bytes PUSH 71480022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!RegisterClassA 7E42EA5E 6 Bytes PUSH 71620022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71450022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2684] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 71510022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 714B0022 .text C:\Program Files\Internet Explorer\iexplore.exe[2684] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 71650022 .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetCloseHandle 3D949088 6 Bytes PUSH 712A0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetQueryDataAvailable 3D94BF7F 6 Bytes PUSH 71150022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpAddRequestHeadersA 3D94CF46 6 Bytes PUSH 713F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpOpenRequestA 3D94D508 6 Bytes PUSH 713C0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetConnectA 3D94DEAE 6 Bytes PUSH 71270022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetConnectW 3D94F862 6 Bytes PUSH 71240022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpSendRequestW 3D94FABE 6 Bytes PUSH 712D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpOpenRequestW 3D94FBFB 6 Bytes PUSH 71390022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetOpenA 3D95D690 6 Bytes PUSH 711B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetOpenW 3D95DB09 6 Bytes PUSH 71180022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetSetStatusCallback 3D95DCC8 6 Bytes PUSH 710F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpSendRequestA 3D95EE89 6 Bytes PUSH 71360022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetReadFileExA 3D963381 6 Bytes PUSH 71120022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetGetCookieExA 3D964BD0 6 Bytes PUSH 711E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetWriteFile 3D9A60F6 6 Bytes PUSH 710C0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpSendRequestExA 3D9BA70A 6 Bytes PUSH 71330022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!HttpSendRequestExW 3D9BA763 6 Bytes PUSH 71300022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] WININET.dll!InternetGetCookieA 3D9BBDEC 6 Bytes PUSH 71210022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[2684] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71010022 .text C:\Program Files\Internet Explorer\iexplore.exe[2684] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 71050022 ---- EOF - GMER 1.0.15 ----