Hi Dragonmasterjay I was hoping I would hear from you sooner or later. I had the same problem with this new version of GMER locking up my system about 5 seconds after the scan completed. I was able to get a log though:
(Broken up due to 50000 character limit)
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-04-23 20:23:41
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pggdikod.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!RtlPrefetchMemoryNonTemporal 85EA2068 1 Byte [90]
.text ntkrnlpa.exe!ZwQueryLicenseValue + D21 85EA5BD9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 4FA 85F02EEA 18 Bytes [E0, 25, 7F, FF, FF, FF, 0F, ...]
.text ntkrnlpa.exe!KiDispatchInterrupt + 512 85F02F02 1 Byte [00]
.text ntkrnlpa.exe!KeSetTimerEx + 34C 85F06A10 4 Bytes [D0, FB, 58, 96] {SAR BL, 0x1; POP EAX; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetTimerEx + 370 85F06A34 8 Bytes [2C, 15, 59, 96, 82, 17, 59, ...] {SUB AL, 0x15; POP ECX; XCHG ESI, EAX; ADC BYTE [EDI], 0x59; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetTimerEx + 3B4 85F06A78 4 Bytes [FC, 19, 59, 96] {CLD ; SBB [ECX-0x6a], EBX}
.text ntkrnlpa.exe!KeSetTimerEx + 3DC 85F06AA0 4 Bytes [50, 04, 59, 96] {PUSH EAX; ADD AL, 0x59; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 85F06AB8 4 Bytes [32, 0B, 59, 96] {XOR CL, [EBX]; POP ECX; XCHG ESI, EAX}
.text ...
PAGE spsys.sys!?SPVersion@@3PADA + 1A67 8244F03F 105 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1AD1 8244F0A9 134 Bytes [82, 8B, C1, F0, 0F, B1, 16, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B58 8244F130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1B5F 8244F137 2214 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 2406 8244F9DE 47 Bytes [04, BB, A8, 01, 00, 00, 8D, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\System32\spoolsv.exe[1836] msonpmon.dll!InitializePrintMonitor2 + FFFFF09C 72391418 4 Bytes [D0, D4, 98, EA]
.text C:\Windows\System32\spoolsv.exe[1836] msonpppr.dll!EnumPrintProcessorDatatypesW + FFFFCA40 71E612FC 4 Bytes [B0, B8, 96, EA]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2128] C:\Windows\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2128] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2128] USER32.dll!GetAppCompatFlags2 + 880 77CB6390 4 Bytes [70, 11, 33, 6D]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\Windows\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] USER32.dll!GetAppCompatFlags2 + 880 77CB6390 4 Bytes [70, 11, 33, 6D]
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\klavemu.kdl section is writeable [0x38401000, 0x17C000, 0xE0000020]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\klavemu.kdl entry point in ".pklav" section [0x3870B1A8]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\klavemu.kdl unknown last code section [0x3870B000, 0x2000, 0xE00000E0]
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\kjim.kdl section is writeable [0x38801000, 0x6E000, 0xE0000020]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\kjim.kdl entry point in ".pklav" section [0x38978118]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\kjim.kdl unknown last code section [0x38978000, 0x2000, 0xE00000E0]
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\mark.kdl section is writeable [0x38301000, 0x1F000, 0xE0000020]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\mark.kdl entry point in ".pklav" section [0x3832B1E0]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\mark.kdl unknown last code section [0x3832B000, 0x2000, 0xE00000E0]
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\qscan.kdl section is writeable [0x38C01000, 0x7B000, 0xE0000020]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\qscan.kdl entry point in ".pklav" section [0x38C9317C]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\qscan.kdl unknown last code section [0x38C93000, 0x2000, 0xE00000E0]
CODE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avzkrnl.dll entry point in "CODE" section [0x6D1E6CB4]
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\kavsys.kdl section is writeable [0x38D01000, 0x1E000, 0xE0000020]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\kavsys.kdl entry point in ".pklav" section [0x38D2B260]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\kavsys.kdl unknown last code section [0x38D2B000, 0x2000, 0xE00000E0]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\webav.kdl number of sections mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\webav.kdl section is writeable [0x10001000, 0x26000, 0xE0000020]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\webav.kdl entry point in ".pklav" section [0x1002E110]
.pklav C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[2460] C:\ProgramData\Kaspersky Lab\AVP9\Bases\webav.kdl unknown last code section [0x1002E000, 0x2000, 0xE00000E0]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!IERegisterXMLNS + FFC9943E 6DCEC2A0 4 Bytes [40, 09, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!IERegisterXMLNS + FFC9945A 6DCEC2BC 16 Bytes [B0, 09, CB, 70, 20, 0A, CB, ...]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!DllGetClassObject + E81B 6DCFBC30 4 Bytes [10, 07, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!DllGetClassObject + E833 6DCFBC48 4 Bytes [80, 07, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!DllGetClassObject + C41BF 6DDB15D4 4 Bytes [70, 04, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!DllGetClassObject + C41DB 6DDB15F0 16 Bytes [E0, 04, CB, 70, 50, 05, CB, ...]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] mshtml.dll!DllGetClassObject + CD237 6DDBA64C 4 Bytes [A0, 06, CB, 70]
? C:\Program Files\Windows Sidebar\sidebar.exe[2532] C:\Windows\system32\ieframe.dll time/date stamp mismatch; unknown module: IEFRAME.dllunknown module: MSIMG32.dllunknown module: VERSION.dllunknown module: WINMM.dllunknown module: MPR.dllunknown module: OCCACHE.dllunknown module: urlmon.dllunknown module: OLEACC.dllunknown module: MLANG.dllunknown module: CRYPTUI.dllunknown module: WINTRUST.dllunknown module: IMM32.dllunknown module: msi.dllunknown module: MSHTML.dllunknown module: INETCOMM.dllunknown module: MSRATING.dllunknown module: gdiplus.dllunknown module: UxTheme.dllunknown module: IEUI.dllunknown module: msfeeds.dllunknown module: RASAPI32.dllunknown module: USP10.dllunknown module: credui.dllunknown module: IEShims.dllunknown module: wer.dllunknown module: OLEAUT32.dllunknown module: iertutil.dllunknown module: ieframe.dll)),argb(0,0,0,0))" /></if> <if keyfocused="true"><button contentalign = "middlecenter | focusrect" /></if> <if pressed="true" mousefocused="true"><button background = "themeable(resbmp(0xA602,6,-1,21,20,0,0,library(ieframe.dll)),argb(0,0,0,0))" padding = "theme
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] ieframe.dll!DllCanUnloadNow + 9CCB 7021E8CC 3 Bytes [D0, 08, CB] {ROR BYTE [EAX], 0x1; RETF }
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllRegisterServer + FFF98077 6E6B00D8 4 Bytes [80, 00, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllRegisterServer + FFF9D5CB 6E6B562C 4 Bytes [20, 03, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllRegisterServer + FFF9D5DF 6E6B5640 4 Bytes [90, 03, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllRegisterServer + FFF9D607 6E6B5668 4 Bytes [00, 04, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllGetClassObject + 67E3 6E6BD818 4 Bytes [F0, 00, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllGetClassObject + 67EB 6E6BD820 8 Bytes [60, 01, CB, 70, D0, 01, CB, ...]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllGetClassObject + 67F7 6E6BD82C 4 Bytes [40, 02, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllGetClassObject + 681F 6E6BD854 4 Bytes [B0, 02, CB, 70]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2532] jscript.dll!DllGetClassObject + 6B1F 6E6BDB54 4 Bytes [60, 08, CB, 70]
.text ...
UPX1 C:\Users\Administrator\Desktop\gmer.exe[3992] C:\Users\Administrator\Desktop\gmer.exe entry point in "UPX1" section [0x004B3F40]
.text C:\Windows\system32\wbem\wmiprvse.exe[4024] OLMAPI32.DLL!HrACLCopy@8 + 29CDD 6AF9BFB4 4 Bytes [C8, 80, 42, 31] {ENTER 0x4280, 0x31}
.text C:\Windows\system32\wbem\wmiprvse.exe[4024] mso.dll!_MsoFSetTooltips@4 + 1DC2A0 6927E568 4 Bytes [75, A4, 50, 31]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\System32\svchost.exe[1148] @ c:\windows\system32\RASAPI32.dll [TAPI32.dll!lineTranslateAddressW] [6FC43F8E] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ c:\windows\system32\RASAPI32.dll [TAPI32.dll!lineGetCountryW] [6FC2E2C1] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ c:\windows\system32\RASAPI32.dll [TAPI32.dll!lineGetTranslateCapsW] [6FC43B50] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!lineTranslateAddressW] [6FC43F8E] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!LOpenDialAsst] [6FC2B079] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!lineSetCurrentLocation] [6FC42833] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!lineGetCountryW] [6FC2E2C1] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!lineGetTranslateCapsW] [6FC43B50] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!lineConfigDialogW] [6FC33D76] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1148] @ C:\Windows\System32\RASDLG.dll [TAPI32.dll!lineTranslateDialogW] [6FC426BB] c:\windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineDrop] [6FC2CB42] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineGetTranslateCapsA] [6FC43A93] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineAccept] [6FC2BD0B] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineAnswer] [6FC2BECC] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineMakeCallA] [6FC2F6CA] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineGetDevConfigA] [6FC2E83E] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineSetDevConfigA] [6FC30BD3] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineInitializeExA] [6FC259A6] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineDevSpecific] [6FC2C7BE] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineSetStatusMessages] [6FC30EFD] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineGetCallInfoA] [6FC2E10D] C:\Windows\system32\TAPI32.dll (Microsoft® Windows(TM) Telephony API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\rastapi.dll [TAPI32.dll!lineNegotiateAPIVersion] &nb