GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-06 14:50:05 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9320423AS rev.0002SDM1 Running: qhhdwrbw.exe; Driver: C:\DOCUME~1\Laura\LOCALS~1\Temp\uxtdapow.sys ---- System - GMER 1.0.15 ---- SSDT 87159EB8 ZwAllocateVirtualMemory SSDT 8718C1E8 ZwCreateKey SSDT 87163C98 ZwCreateProcess SSDT 871CA288 ZwCreateProcessEx SSDT 871620E8 ZwCreateThread SSDT 871DF358 ZwDeleteKey SSDT 8718A1B8 ZwDeleteValueKey SSDT 87163D10 ZwOpenKey SSDT 87159F30 ZwQueueApcThread SSDT 87159DC8 ZwReadVirtualMemory SSDT 871C80F0 ZwRenameKey SSDT 871C5288 ZwSetContextThread SSDT 8719F020 ZwSetInformationKey SSDT 871E17B0 ZwSetInformationProcess SSDT 871C5300 ZwSetInformationThread SSDT 871C5E28 ZwSetValueKey SSDT 871E1738 ZwSuspendProcess SSDT 87159FA8 ZwSuspendThread SSDT 871CA210 ZwTerminateProcess SSDT 87162070 ZwTerminateThread SSDT 87159E40 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80504524 4 Bytes [E8, C1, 18, 87] .text ntkrnlpa.exe!ZwCallbackReturn + 2CB8 80504554 4 Bytes CALL EED75B79 init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xF7A9A138] ? C:\DOCUME~1\Laura\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2020] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2020] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2020] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2020] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2036] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 50367370 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSUDLL.dll .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 000160B0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com)) .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00014930 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com)) .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000152F0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com)) .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes [33, C0, C2, 0C, 00] {XOR EAX, EAX; RET 0xc} .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 000152A0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com)) .text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[2736] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 000152D0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com)) ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip 86FCF338 Device \Driver\Tcpip \Device\Ip 8700E800 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\Tcpip \Device\Tcp 86FCF338 Device \Driver\Tcpip \Device\Tcp 8700E800 Device \Driver\Tcpip \Device\Udp 86FCF338 Device \Driver\Tcpip \Device\Udp 8700E800 Device \Driver\Tcpip \Device\RawIp 86FCF338 Device \Driver\Tcpip \Device\RawIp 8700E800 Device \Driver\Tcpip \Device\IPMULTICAST 86FCF338 Device \Driver\Tcpip \Device\IPMULTICAST 8700E800 Device \FileSystem\Fastfat \Fat A86AFD20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- EOF - GMER 1.0.15 ----