GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-17 11:13:48 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\vmscsi1Port2Path0Target0Lun0 VMware,_ rev.1.0_ 10.00GB Running: gmer 2-0.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgtdypow.sys ---- Kernel code sections - GMER 2.0 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. ! ? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. ! ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Windows NT\svchost.exe[464] C:\Program Files\Windows NT\svchost.exe section is writeable [0x00401000, 0x1A2A8, 0xC0000020] .idata C:\Program Files\Windows NT\svchost.exe[464] C:\Program Files\Windows NT\svchost.exe unknown last section [0x00425000, 0x14000, 0x40000040] .text C:\WINDOWS\system32\SearchIndexer.exe[992] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\Program Files\Security Task Manager\TaskMan.exe[3812] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044F9FD C:\Program Files\Security Task Manager\TaskMan.exe (Security Task Manager/Neuber Software) ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!CreateThread] 0274EC81 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!ExitProcess] 08A10000 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!ExitThread] 330041B3 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 248489C4 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCommandLineA] 00000270 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStartupInfoA] B48B5653 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TerminateProcess] 8824BC8B IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCurrentProcess] 0F000002 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 0000DB84 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 0FFF8500 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!IsDebuggerPresent] 0000D384 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetModuleHandleW] 249C8B00 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!Sleep] 0000028C IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetProcAddress] 840FDB85 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WriteFile] 000000C4 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStdHandle] 0F003E83 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetModuleFileNameA] 0000BB85 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!FreeEnvironmentStringsA] 01046800 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetEnvironmentStrings] 448D0000 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!FreeEnvironmentStringsW] 6A507824 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 6C15FF00 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetEnvironmentStringsW] A1840FC0 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetHandleCount] 8D000000 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetFileType] E80C244C IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsGetValue] 74244C8D IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsAlloc] 6815FF51 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsSetValue] 8D004150 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsFree] 52020054 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!InterlockedIncrement] [7824448D] C:\WINDOWS\system32\urlmon.dll (OLE32 Extensions for Win32/Microsoft Corporation) IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 1D62E814 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!InterlockedDecrement] 4C8D0000 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!HeapCreate] 29E80C24 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!VirtualFree] 8B00001D IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 8B102454 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetTickCount] 51142444 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 1C244C8B IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCPInfo] 24548B52 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetACP] 52515024 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetOEMCP] 41524868 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!IsValidCodePage] E8575300 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!MultiByteToWideChar] 0000736E IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!LoadLibraryA] 016A016A IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!InitializeCriticalSectionAndSpinCount] 15FF006A IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!VirtualAlloc] 0689C085 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetConsoleCP] [00415060] C:\Program Files\Windows NT\svchost.exe IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetConsoleMode] 0000B73D IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!FlushFileBuffers] 8B297500 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!LCMapStringA] 15FF5006 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!LCMapStringW] [0041505C] C:\Program Files\Windows NT\svchost.exe IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStringTypeA] 0006C75F IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStringTypeW] 5E000000 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetLocaleInfoA] 8B5BC033 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!CloseHandle] CC330000 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WriteConsoleA] 007345E8 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetConsoleOutputCP] 74C48100 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WriteConsoleW] C3000002 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetFilePointer] 7C248C8B IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetStdHandle] 5F000002 IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!CreateFileA] CC335B5E IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [USER32.dll!MessageBoxA] 7328E800 ---- Threads - GMER 2.0 ---- Thread System [4:3228] B13A4310 Thread System [4:3472] B13A4310 ---- EOF - GMER 2.0 ----