Hi,
The IT guy at work removed the windows recovery malware off my work machine but I still cant see any icons on the desktop or the start menu. I'm not 100% sure of what he did, but I think it removed it manually. He wants to do a re-format but I was hoping to aviod this. I have tried to use the unhide.exe from bleepingcomputer and still no luck.
Any help would be great. The logs are below.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6502
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/05/2011 9:27:17 PM
mbam-log-2011-05-04 (21-27-17).txt
Scan type: Quick scan
Objects scanned: 208643
Time elapsed: 9 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 21:51:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 FUJITSU_ rev.0084
Running: ju5mobv9.exe; Driver: C:\DOCUME~1\peter\LOCALS~1\Temp\uweirfob.sys
---- System - GMER 1.0.15 ----
SSDT 897B5348 ZwAlertResumeThread
SSDT 8979A350 ZwAlertThread
SSDT 898760E8 ZwAllocateVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA284CFC0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9E83818]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA284DA56]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xB9E837D0]
SSDT 897D24F8 ZwCreateMutant
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9E77A20]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xBA2CCDB6]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xBA2CBE12]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xA285127C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xA28512AE]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9E782A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9E83910]
SSDT 8957A8D8 ZwFreeVirtualMemory
SSDT 89483898 ZwImpersonateAnonymousToken
SSDT 89813BA0 ZwImpersonateThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xA2851410]
SSDT 89881388 ZwMapViewOfSection
SSDT 897B8C90 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA284DB2C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9E83794]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xA284D104]
SSDT 896C10A8 ZwOpenProcessToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xA284D2F6]
SSDT 8986BD30 ZwOpenThreadToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA284D428]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9E782C8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA2851386]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA28512F0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xA2851322]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xA2851354]
SSDT 896AA098 ZwResumeThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA284CF66]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xBA2CBE86]
SSDT 89859A38 ZwSetInformationProcess
SSDT 89887AE8 ZwSetInformationThread
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9E830B0]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xBA2CCC92]
SSDT 89837AD8 ZwSuspendProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA284CF02]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xBA2CBD98]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA284CE9E]
SSDT 89390980 ZwUnmapViewOfSection
SSDT 898C1B20 ZwWriteVirtualMemory
INT 0x62 ? 8A9E2BF8
INT 0x63 ? 8982FBF8
INT 0x73 ? 8982FBF8
INT 0x74 ? 8982FBF8
INT 0x84 ? 8982FBF8
INT 0x94 ? 8982FBF8
INT 0xA4 ? 8A9E3BF8
INT 0xA4 ? 8982FBF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 805044C4 4 Bytes CALL 4AD9CC29
PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 8062265D 7 Bytes JMP BA68EFC8
? sphj.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B91BF8AC 5 Bytes JMP 8982F1D8
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414130 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A60001
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A00022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A90022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 0043EA30 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A80001
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 71AE001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 719E0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A20022
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] sphj.sys
---- Devices - GMER 1.0.15 ----
Device 8A9DF1F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 86508500
Device 895DF950
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 8982E1F8
Device \Driver\usbuhci \Device\USBPDO-1 8982E1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9E41F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A9E41F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A9E41F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A9E41F8
Device \Driver\usbehci \Device\USBPDO-2 897981F8
Device \Driver\usbehci \Device\USBPDO-3 897981F8
Device \Driver\usbuhci \Device\USBPDO-4 8982E1F8
Device \Driver\usbuhci \Device\USBPDO-5 8982E1F8
Device \Driver\usbuhci \Device\USBPDO-6 8982E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AA3A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3CBD72F7-7738-480F-AE11-68E4801110EE} 865F6500
Device \Driver\Cdrom \Device\CdRom0 8954DF00
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AA3A1F8
Device \FileSystem\Rdbss \Device\FsWrap 89843330
Device \Driver\iaStor \Device\Ide\iaStor0 [B9D53D30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 89844188
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89844188
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9D53D30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8954DF00
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AA3A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CDCCBDF4-FF11-45A5-B356-BB14700F3A16} 865F6500
Device \Driver\NetBT \Device\NetBt_Wins_Export 865F6500
Device \Driver\NetBT \Device\NetbiosSmb 865F6500
Device \Driver\USBSTOR \Device\000000d3 864CD4A0
Device \FileSystem\Srv \Device\LanmanServer 85CE76B0
Device \Driver\USBSTOR \Device\000000d4 864CD4A0
Device \Driver\usbuhci \Device\USBFDO-0 8982E1F8
Device \Driver\usbuhci \Device\USBFDO-1 8982E1F8
Device \Driver\usbehci \Device\USBFDO-2 897981F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 866A8500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864C7878
Device \Driver\usbuhci \Device\USBFDO-3 8982E1F8
Device 866A8500
Device 864C7878
Device \FileSystem\Npfs \Device\NamedPipe 895F2AF8
Device \Driver\usbuhci \Device\USBFDO-4 8982E1F8
Device \Driver\Ftdisk \Device\FtControl 8AA3A1F8
Device \Driver\usbuhci \Device\USBFDO-5 8982E1F8
Device \FileSystem\Msfs \Device\Mailslot 8952E930
Device \Driver\usbehci \Device\USBFDO-6 897981F8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 895388A8
Device \Driver\d347prt \Device\Scsi\d347prt1 895388A8
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 89661D00
Device \FileSystem\Cdfs \Cdfs 8657A500
Device \FileSystem\Cdfs \Cdfs 89644CA8
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Modules - GMER 1.0.15 ----
Module _________ B9CFE000-B9D16000 (98304 bytes)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xE3 0x91 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xBC 0x41 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xE3 0x91 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xBC 0x41 0xBF ...
---- EOF - GMER 1.0.15 ----
The IT guy at work removed the windows recovery malware off my work machine but I still cant see any icons on the desktop or the start menu. I'm not 100% sure of what he did, but I think it removed it manually. He wants to do a re-format but I was hoping to aviod this. I have tried to use the unhide.exe from bleepingcomputer and still no luck.
Any help would be great. The logs are below.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6502
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/05/2011 9:27:17 PM
mbam-log-2011-05-04 (21-27-17).txt
Scan type: Quick scan
Objects scanned: 208643
Time elapsed: 9 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 21:51:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 FUJITSU_ rev.0084
Running: ju5mobv9.exe; Driver: C:\DOCUME~1\peter\LOCALS~1\Temp\uweirfob.sys
---- System - GMER 1.0.15 ----
SSDT 897B5348 ZwAlertResumeThread
SSDT 8979A350 ZwAlertThread
SSDT 898760E8 ZwAllocateVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA284CFC0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9E83818]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA284DA56]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xB9E837D0]
SSDT 897D24F8 ZwCreateMutant
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9E77A20]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xBA2CCDB6]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xBA2CBE12]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xA285127C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xA28512AE]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9E782A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9E83910]
SSDT 8957A8D8 ZwFreeVirtualMemory
SSDT 89483898 ZwImpersonateAnonymousToken
SSDT 89813BA0 ZwImpersonateThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xA2851410]
SSDT 89881388 ZwMapViewOfSection
SSDT 897B8C90 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA284DB2C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9E83794]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xA284D104]
SSDT 896C10A8 ZwOpenProcessToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xA284D2F6]
SSDT 8986BD30 ZwOpenThreadToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA284D428]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9E782C8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA2851386]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA28512F0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xA2851322]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xA2851354]
SSDT 896AA098 ZwResumeThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA284CF66]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xBA2CBE86]
SSDT 89859A38 ZwSetInformationProcess
SSDT 89887AE8 ZwSetInformationThread
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9E830B0]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xBA2CCC92]
SSDT 89837AD8 ZwSuspendProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA284CF02]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xBA2CBD98]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA284CE9E]
SSDT 89390980 ZwUnmapViewOfSection
SSDT 898C1B20 ZwWriteVirtualMemory
INT 0x62 ? 8A9E2BF8
INT 0x63 ? 8982FBF8
INT 0x73 ? 8982FBF8
INT 0x74 ? 8982FBF8
INT 0x84 ? 8982FBF8
INT 0x94 ? 8982FBF8
INT 0xA4 ? 8A9E3BF8
INT 0xA4 ? 8982FBF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 805044C4 4 Bytes CALL 4AD9CC29
PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 8062265D 7 Bytes JMP BA68EFC8
? sphj.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B91BF8AC 5 Bytes JMP 8982F1D8
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414130 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A60001
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A00022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[740] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A90022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 0043EA30 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A80001
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 71AE001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 719E0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3172] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A20022
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] sphj.sys
---- Devices - GMER 1.0.15 ----
Device 8A9DF1F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 86508500
Device 895DF950
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 8982E1F8
Device \Driver\usbuhci \Device\USBPDO-1 8982E1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9E41F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A9E41F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A9E41F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A9E41F8
Device \Driver\usbehci \Device\USBPDO-2 897981F8
Device \Driver\usbehci \Device\USBPDO-3 897981F8
Device \Driver\usbuhci \Device\USBPDO-4 8982E1F8
Device \Driver\usbuhci \Device\USBPDO-5 8982E1F8
Device \Driver\usbuhci \Device\USBPDO-6 8982E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AA3A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3CBD72F7-7738-480F-AE11-68E4801110EE} 865F6500
Device \Driver\Cdrom \Device\CdRom0 8954DF00
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AA3A1F8
Device \FileSystem\Rdbss \Device\FsWrap 89843330
Device \Driver\iaStor \Device\Ide\iaStor0 [B9D53D30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 89844188
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89844188
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9D53D30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8954DF00
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AA3A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CDCCBDF4-FF11-45A5-B356-BB14700F3A16} 865F6500
Device \Driver\NetBT \Device\NetBt_Wins_Export 865F6500
Device \Driver\NetBT \Device\NetbiosSmb 865F6500
Device \Driver\USBSTOR \Device\000000d3 864CD4A0
Device \FileSystem\Srv \Device\LanmanServer 85CE76B0
Device \Driver\USBSTOR \Device\000000d4 864CD4A0
Device \Driver\usbuhci \Device\USBFDO-0 8982E1F8
Device \Driver\usbuhci \Device\USBFDO-1 8982E1F8
Device \Driver\usbehci \Device\USBFDO-2 897981F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 866A8500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864C7878
Device \Driver\usbuhci \Device\USBFDO-3 8982E1F8
Device 866A8500
Device 864C7878
Device \FileSystem\Npfs \Device\NamedPipe 895F2AF8
Device \Driver\usbuhci \Device\USBFDO-4 8982E1F8
Device \Driver\Ftdisk \Device\FtControl 8AA3A1F8
Device \Driver\usbuhci \Device\USBFDO-5 8982E1F8
Device \FileSystem\Msfs \Device\Mailslot 8952E930
Device \Driver\usbehci \Device\USBFDO-6 897981F8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 895388A8
Device \Driver\d347prt \Device\Scsi\d347prt1 895388A8
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 89661D00
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 89661D00
Device \FileSystem\Cdfs \Cdfs 8657A500
Device \FileSystem\Cdfs \Cdfs 89644CA8
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Modules - GMER 1.0.15 ----
Module _________ B9CFE000-B9D16000 (98304 bytes)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xE3 0x91 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xBC 0x41 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xE3 0x91 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xBC 0x41 0xBF ...
---- EOF - GMER 1.0.15 ----
