[Vol-users] IAT hook question

Mike Lambert dragonforen at hotmail.com
Thu Jan 17 11:31:42 CST 2013


Skipped content of type multipart/alternative-------------- next part --------------
GMER 2.0.18444 - http://www.gmer.net
Rootkit scan 2013-01-17 11:13:48
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\vmscsi1Port2Path0Target0Lun0 VMware,_ rev.1.0_ 10.00GB
Running: gmer 2-0.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgtdypow.sys


---- Kernel code sections - GMER 2.0 ----

?       C:\WINDOWS\system32\Drivers\PROCEXP141.SYS                                                                                                   The system cannot find the file specified. !
?       C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                                                                   The system cannot find the file specified. !
?       C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS                                                                                                  The system cannot find the file specified. !

---- User code sections - GMER 2.0 ----

.text   C:\Program Files\Windows NT\svchost.exe[464] C:\Program Files\Windows NT\svchost.exe                                                         section is writeable [0x00401000, 0x1A2A8, 0xC0000020]
.idata  C:\Program Files\Windows NT\svchost.exe[464] C:\Program Files\Windows NT\svchost.exe                                                         unknown last section [0x00425000, 0x14000, 0x40000040]
.text   C:\WINDOWS\system32\SearchIndexer.exe[992] kernel32.dll!WriteFile                                                                            7C810E27 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text   C:\Program Files\Security Task Manager\TaskMan.exe[3812] kernel32.dll!CreateThread + 1A                                                      7C8106F1 4 Bytes  CALL 0044F9FD C:\Program Files\Security Task Manager\TaskMan.exe (Security Task Manager/Neuber Software)

---- User IAT/EAT - GMER 2.0 ----

IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!CreateThread]                           0274EC81
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!ExitProcess]                            08A10000
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!ExitThread]                             330041B3
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCurrentProcessId]                    248489C4
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCommandLineA]                        00000270
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStartupInfoA]                        B48B5653
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TerminateProcess]                       8824BC8B
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCurrentProcess]                      0F000002
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter]               0000DB84
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter]            0FFF8500
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!IsDebuggerPresent]                      0000D384
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetModuleHandleW]                       249C8B00
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!Sleep]                                  0000028C
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetProcAddress]                         840FDB85
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WriteFile]                              000000C4
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStdHandle]                           0F003E83
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetModuleFileNameA]                     0000BB85
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!FreeEnvironmentStringsA]                01046800
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetEnvironmentStrings]                  448D0000
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!FreeEnvironmentStringsW]                6A507824
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WideCharToMultiByte]                    6C15FF00
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetEnvironmentStringsW]                 A1840FC0
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetHandleCount]                         8D000000
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetFileType]                            E80C244C
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsGetValue]                            74244C8D
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsAlloc]                               6815FF51
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsSetValue]                            8D004150
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!TlsFree]                                52020054
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!InterlockedIncrement]                   [7824448D] C:\WINDOWS\system32\urlmon.dll (OLE32 Extensions for Win32/Microsoft Corporation)
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCurrentThreadId]                     1D62E814
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!InterlockedDecrement]                   4C8D0000
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!HeapCreate]                             29E80C24
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!VirtualFree]                            8B00001D
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!QueryPerformanceCounter]                8B102454
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetTickCount]                           51142444
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime]                1C244C8B
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetCPInfo]                              24548B52
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetACP]                                 52515024
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetOEMCP]                               41524868
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!IsValidCodePage]                        E8575300
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!MultiByteToWideChar]                    0000736E
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!LoadLibraryA]                           016A016A
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!InitializeCriticalSectionAndSpinCount]  15FF006A
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!VirtualAlloc]                           0689C085
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetConsoleCP]                           [00415060] C:\Program Files\Windows NT\svchost.exe
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetConsoleMode]                         0000B73D
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!FlushFileBuffers]                       8B297500
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!LCMapStringA]                           15FF5006
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!LCMapStringW]                           [0041505C] C:\Program Files\Windows NT\svchost.exe
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStringTypeA]                         0006C75F
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetStringTypeW]                         5E000000
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetLocaleInfoA]                         8B5BC033
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!CloseHandle]                            CC330000
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WriteConsoleA]                          007345E8
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetConsoleOutputCP]                     74C48100
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!WriteConsoleW]                          C3000002
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetFilePointer]                         7C248C8B
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!SetStdHandle]                           5F000002
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!CreateFileA]                            CC335B5E
IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [USER32.dll!MessageBoxA]                              7328E800

---- Threads - GMER 2.0 ----

Thread  System [4:3228]                                                                                                                              B13A4310
Thread  System [4:3472]                                                                                                                              B13A4310

---- EOF - GMER 2.0 ----


More information about the Vol-users mailing list