GMER 1.0.15.15640 -
http://www.gmer.net
Rootkit scan 2011-06-26 00:14:54
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS542525K9SA00 rev.BBFOC33P
Running: gmer.exe; Driver: C:\Users\thomas\AppData\Local\Temp\uxliipob.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87D5B000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87DA4000, 0x510, 0x40000040]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8BC0D000, 0x1FB52A, 0xE8000020]
? C:\Windows\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 76F585D8 5 Bytes JMP 007B000A
.text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory 76F58F18 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1320] ntdll.dll!KiUserExceptionDispatcher 76F59648 5 Bytes JMP 007A000A
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1544] kernel32.dll!SetUnhandledExceptionFilter 759B6E2D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Windows\Explorer.EXE[3840] ntdll.dll!NtProtectVirtualMemory 76F585D8 5 Bytes JMP 005E000A
.text C:\Windows\Explorer.EXE[3840] ntdll.dll!NtWriteVirtualMemory 76F58F18 5 Bytes JMP 005F000A
.text C:\Windows\Explorer.EXE[3840] ntdll.dll!KiUserExceptionDispatcher 76F59648 5 Bytes JMP 005D000A
.text C:\Windows\system32\wuauclt.exe[4220] ntdll.dll!NtProtectVirtualMemory 76F585D8 5 Bytes JMP 0025000A
.text C:\Windows\system32\wuauclt.exe[4220] ntdll.dll!NtWriteVirtualMemory 76F58F18 5 Bytes JMP 0026000A
.text C:\Windows\system32\wuauclt.exe[4220] ntdll.dll!KiUserExceptionDispatcher 76F59648 5 Bytes JMP 0024000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5408] ntdll.dll!NtProtectVirtualMemory 76F585D8 5 Bytes JMP 0063000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5408] ntdll.dll!NtWriteVirtualMemory 76F58F18 5 Bytes JMP 0064000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5408] ntdll.dll!KiUserExceptionDispatcher 76F59648 5 Bytes JMP 0026000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5888] USER32.dll!GetWindowInfo 76140560 5 Bytes JMP 63815451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5888] USER32.dll!SetWindowLongA 76140736 3 Bytes JMP 639FEDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5888] USER32.dll!SetWindowLongA + 4 7614073A 1 Byte [ED]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5888] USER32.dll!SetWindowLongW 76141F35 3 Bytes JMP 639FED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5888] USER32.dll!SetWindowLongW + 4 76141F39 1 Byte [ED]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5888] USER32.dll!TrackPopupMenu 76151417 5 Bytes JMP 63815A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Files - GMER 1.0.15 ----
File C:\ProgramData\Avira\AntiVir Desktop\TEMP\AVSCAN-20110625-200652-3772738F\00000021-03F9B0F7.av$ (size mismatch) 5239088/0 bytes executable
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1ZJOZ53G\backcookie[2].js 2347 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1ZJOZ53G\checkBrowser[5].htm 2232 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1ZJOZ53G\iframe[7] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9HTS83A\viapi[1].xml 36 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9HTS83A\rockb-webfont[1].eot 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9HTS83A\rockbi-webfont[1].eot 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9HTS83A\chunk-webfont[1].eot 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9HTS83A\t[1].gif 49 bytes
---- EOF - GMER 1.0.15 ----