GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-16 16:02:57 Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST912082 rev.3.AL Running: pgx9un0b.exe; Driver: C:\Users\User\AppData\Local\Temp\kwtdqpow.sys ---- System - GMER 1.0.15 ---- SSDT 8F226BD8 ZwAlertResumeThread SSDT 8F226CB8 ZwAlertThread SSDT 8F211F80 ZwAllocateVirtualMemory SSDT 8F874490 ZwConnectPort SSDT 8F226928 ZwCreateMutant SSDT 8F2108C0 ZwCreateThread SSDT 8F211C78 ZwFreeVirtualMemory SSDT 8F226A18 ZwImpersonateAnonymousToken SSDT 8F226AF8 ZwImpersonateThread SSDT 8F211B98 ZwMapViewOfSection SSDT 8F226848 ZwOpenEvent SSDT 8F210800 ZwOpenProcessToken SSDT 8F211950 ZwOpenThreadToken SSDT 8F223130 ZwResumeThread SSDT 8F211870 ZwSetContextThread SSDT 8F211A40 ZwSetInformationProcess SSDT 8F226FC0 ZwSetInformationThread SSDT 8F226768 ZwSuspendProcess SSDT 8F226E00 ZwSuspendThread SSDT 8F211210 ZwTerminateProcess SSDT 8F226EE0 ZwTerminateThread SSDT 8F210780 ZwUnmapViewOfSection SSDT 8F211EB0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 3E0 820808EC 2 Bytes [C0, 08] .text ntkrnlpa.exe!ZwCallbackReturn + 520 82080A2C 2 Bytes [F8, 6A] .text ntkrnlpa.exe!ZwCallbackReturn + 73C 82080C48 2 Bytes [70, 18] {JO 0x1a} .text ntkrnlpa.exe!ZwCallbackReturn + 77C 82080C88 2 Bytes [40, 1A] .text ntkrnlpa.exe!ZwCallbackReturn + 77F 82080C8B 5 Bytes [8F, C0, 6F, 22, 8F] .text ... .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BCD9340, 0x344E47, 0xE8000020] .text bridge.sys 8C54B462 96 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...] .text bridge.sys 8C54B4C3 17 Bytes [55, 8C, FF, 15, 38, B1, 55, ...] .text bridge.sys 8C54B4D5 267 Bytes [00, 6A, 01, BF, A0, D1, 55, ...] .text bridge.sys 8C54B5E1 136 Bytes [54, 8C, 68, 80, C4, 55, 8C, ...] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xAA718400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAA7BA420] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAA7BA420] .protect˙˙˙˙hardlockunknown last code section [0xAA7BA200, 0x5049, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xAA7BA200, 0x5049, 0xE0000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FAFBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F7B9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F6A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F6CBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F68AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73F7CF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F67D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F67CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F66A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73FFC1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F87F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F690CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F72179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F721A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F77F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F77D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73FA83D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1772] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [697CDE6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d606a1c6a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d606a1c6a@0015de244892 0x13 0x97 0x53 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d606a1c6a@001d6ec3af58 0xD3 0x47 0xB2 0xA6 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d606a1c6a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d606a1c6a@0015de244892 0x13 0x97 0x53 0x0D ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d606a1c6a@001d6ec3af58 0xD3 0x47 0xB2 0xA6 ... ---- Files - GMER 1.0.15 ---- File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 27504 bytes executable File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\_avt 512 bytes File C:\ADSM_PData_0150\DragWait.exe 253952 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 1.0.15 ----