Thread: google redirecting and randomn web pages open
View Single Post
  #2 (permalink)  
Old 01-23-2010, 06:40 AM
fraggle8 fraggle8 is offline
Junior Member

  
Join Date: Jan 2010
Posts: 10
Default
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 11:38:30
Windows 6.1.7600
Running: tzrcl0uz.exe; Driver: C:\Users\SARAAN~1\AppData\Local\Temp\uxlciuob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.s ys ZwOpenProcess [0x9AE79620]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.s ys ZwTerminateProcess [0x9AE796D0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.s ys ZwTerminateThread [0x9AE79770]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.s ys ZwWriteVirtualMemory [0x9AE79810]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E252D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E24898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3D1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A55579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A79F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82A819E8 4 Bytes [20, 96, E7, 9A]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82A81CB8 8 Bytes [D0, 96, E7, 9A, 70, 97, E7, ...] {RCL BYTE [ESI-0x688f6519], 0x1; OUT 0x9a, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 82A81D2C 4 Bytes [10, 98, E7, 9A]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EE25340, 0x3EE217, 0xE8000020]
.text peauth.sys A3439C9D 28 Bytes [DE, AE, 95, 23, 4D, 98, 95, ...]
.text peauth.sys A3439CC1 28 Bytes [DE, AE, 95, 23, 4D, 98, 95, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[712] ole32.dll!CoCreateInstance 762157FC 5 Bytes JMP 008C000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1388] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [759F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1388] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [759F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1388] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [759F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1388] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [759F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1388] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [759F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1388] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [759F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85973618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Par ameters\Keys\001a6b71ee28
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Par ameters\Keys\001a6b71ee28@0017839f9f58 0x3C 0xB7 0xEE 0x6B ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramet ers\Keys\001a6b71ee28 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramet ers\Keys\001a6b71ee28@0017839f9f58 0x3C 0xB7 0xEE 0x6B ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Reply With Quote