GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-09 21:07:27 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\uwtdypog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xB800BE26] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB800C704] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB800C864] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xB8010086] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xB80100B8] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xB801021A] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB800C7C8] SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA2FD670] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xB800C15C] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xB800C28E] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB8010190] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB80100FA] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB801012C] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xB801015E] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xB800BDCC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB800C8C4] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xB801001E] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xB800BD68] SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA2FD720] SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA2FD7C0] SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA2FD860] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB9BC1360, 0x20598D, 0xE8000020] init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF774A760] init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB98DFF80] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1412] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414A50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1412] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1412] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1412] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022 .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[2340] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3292] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00438CE0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3292] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3292] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 011879B0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ntdll.dll!LdrLoadDll + 1 7C9163C4 5 Bytes [22, 00, 68, 71, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[4516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 6 Bytes PUSH 714E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 71510022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71420022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!RegisterClassW 7E41A39A 6 Bytes PUSH 71570022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!DdeInitializeW 7E4206D7 6 Bytes PUSH 71480022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!RegisterClassA 7E42EA5E 6 Bytes PUSH 71620022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71450022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!DialogBoxIndirectParamW 7E432072 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352076 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35203B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F83 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351FBD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3520B1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E201772 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 714B0022 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 71650022 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352273 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71010022 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 71050022 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetCloseHandle 3D944261 6 Bytes PUSH 712A0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpAddRequestHeadersA 3D94632F 6 Bytes PUSH 713F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpOpenRequestA 3D94AA7B 6 Bytes PUSH 713C0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetConnectA 3D94B0D2 6 Bytes PUSH 71270022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetConnectW 3D94C2C0 6 Bytes PUSH 71240022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpOpenRequestW 3D94C49A 6 Bytes PUSH 71390022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetQueryDataAvailable 3D951615 6 Bytes PUSH 71150022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetOpenA 3D953081 6 Bytes PUSH 711B0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpSendRequestA 3D953558 6 Bytes PUSH 71360022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetOpenW 3D9536B1 6 Bytes PUSH 71180022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetSetStatusCallback 3D957D7B 6 Bytes PUSH 710F0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpSendRequestExW 3D958C49 6 Bytes PUSH 71300022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetWriteFile 3D958D5C 6 Bytes PUSH 710C0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpSendRequestW 3D95FDF9 6 Bytes PUSH 712D0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetReadFileExA 3D963384 6 Bytes PUSH 71120022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetGetCookieExA 3D963A49 6 Bytes PUSH 711E0022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!HttpSendRequestExA 3D9AA92E 6 Bytes PUSH 71330022; RET .text C:\Program Files\Internet Explorer\iexplore.exe[4516] WININET.dll!InternetGetCookieA 3D9AC120 6 Bytes PUSH 71210022; RET ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\40B8D8DFDAEB55A4AAD1262D73E3D7AE\Usage@statusexe 1026097664 ---- EOF - GMER 1.0.15 ----