GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-04-18 23:09:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\pxtdypow.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xB9F65314]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB83EB380, 0x34C81F, 0xE8000020]
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB0A72280]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[436] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[436] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\Explorer.EXE[436] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B4000C
.text C:\Program Files\Java\jre6\bin\jusched.exe[648] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F60001
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 026A000A
.text C:\WINDOWS\System32\svchost.exe[1240] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0207000A
.text C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE[2100] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 011F0001
.text C:\WINDOWS\stsystra.exe[2240] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 016B0001
.text C:\Program Files\iTunes\iTunesHelper.exe[2332] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02920001
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2340] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 010A0001
.text C:\WINDOWS\ehome\ehtray.exe[2392] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 016E0001
.text ...
.text C:\WINDOWS\system32\wuauclt.exe[3220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\wuauclt.exe[3220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[3220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Fastfat \Fat A9AAAC8A
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device -> \Driver\iastor \Device\Harddisk0\DR0 8A65FAC8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys\modules@ESQULclk
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification
File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification
---- EOF - GMER 1.0.15 ----