GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-22 12:29:35 Windows 5.1.2600 Dodatek Service Pack 3 Running: gub92dgp.exe; Driver: C:\DOCUME~1\Kamila\USTAWI~1\Temp\awroifob.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xF5DD5E26] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5D46C7A] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xF5DD6704] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5D46B36] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xF5DD6864] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF5D470EA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5D47014] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5D4670C] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xF5DDA21A] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xF5DD67C8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5D46C10] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5D4664C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5D466B0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xF5DD628E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5D46D30] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF5D471B8] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xF5DDA12C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5D46CF0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xF5DD5DCC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xF5DD68C4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5D46E70] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xF5DD5D68] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xF5DD5CBC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xF5DD5D04] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF5D53AC6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF5D538EA] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF5D53A24] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP F5D50EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!NtCreateSection 8056DB66 7 Bytes JMP F5D538EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP F5D53ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!ZwLoadDriver 805A8FB2 7 Bytes JMP F5D53A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 805E6A8E 5 Bytes JMP F5D4F536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[836] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00438CA0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[836] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 71680022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[836] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 716E0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1120] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414990 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1120] USER32.dll!GetGUIThreadInfo + FB 7E378023 6 Bytes JMP 716E001E .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1120] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 71650022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1120] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 71680022 .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 01407B40 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.) .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022 .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] kernel32.dll!SetUnhandledExceptionFilter 7C844935 6 Bytes PUSH 71510022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 71540022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] USER32.dll!TranslateMessage 7E368BF6 6 Bytes PUSH 71420022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] USER32.dll!GetMessageW 7E3691C6 6 Bytes PUSH 71480022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] USER32.dll!RegisterClassExW 7E36AF7F 6 Bytes PUSH 716E0022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] USER32.dll!DdeInitializeW 7E3706D7 6 Bytes PUSH 714E0022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] USER32.dll!GetWindowRect 7E3790B4 6 Bytes PUSH 71450022; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[3760] USER32.dll!GetClipboardData 7E380DBA 6 Bytes PUSH 714B0022; RET ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\Mozilla Firefox\firefox.exe[3760] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 71680000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)