Do I have rootkits (gmer log)

Wups, so easy, I thought that copy would only be related to one line, okay,
great to know, sometimes I don´t see the easiest ways..

Yep, not that important, but something I often notice is, e.g. an app crashes and drwatson pops up, or I stopp
IceSword or stopp several other apps while Gmer is executed then Gmer starts showing endless functions behind the stopped exe files, is this usual?

Hm I don´t think it is a default rustock, it is usual that Sygate hooks the same areas like Rustock I guess, but what is with the second wanarp?

.text ntkrnlpa.exe!ZwCallbackReturn + 2CBC 805038BC 8 Bytes [ 50, 6F, 4E, ED, 10, 70, 4E, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2DB4 805039B4 8 Bytes [ 00, A1, 4E, ED, 90, A1, 4E, ... ]
.text ...
.text tcpip.sys!IPTransmit + 10BC ED47ACFA 6 Bytes CALL F71CCCE0 Teefer.sys
.text tcpip.sys!IPTransmit + 2810 ED47C44E 6 Bytes CALL F71CCCE0 Teefer.sys
.text tcpip.sys!ARPRcv + 506D ED4814E0 6 Bytes CALL F71CCCE0 Teefer.sys
.text wanarp.sys F75CC3FD 4 Bytes CALL F71CCE30 Teefer.sys
.text wanarp.sys F75CC402 2 Bytes [ 90, 90 ]

 

It's probably a bug ( I've found similar behaviour when haxdor is installed )
If GMER crashes please send me minidump or dr watson log.

I've expanded my whitelist and it will not appear in the next version.

I think it's also related to Sygate hooks ( 90 = ASM NOP )

 

Great to see, thanks for info!

 

SystemJunkie, thanks again for this info.
I've checked it and it's definitely GMER's bug. When app terminates during or just before of the scan GMER will show abnormal results. I will fix it in the next update.

Regards

 

You´re welcome, I am also interested in seeing always improved apps.

I tested your catchme tool, look at this, looks unusual:

http://i13.tinypic.com/34te8td.png

But probably a HIP blocks access to that autostart, I am not sure.
It´s no problem to access HKLM\Run and see pgaccount or modify it via regedit.exe, but if using external app, autostart write is blocked.