GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-10 06:52:54 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS543225L9A300 rev.FBEOC40C Running: l88imtol.exe; Driver: C:\Users\Skaner\AppData\Local\Temp\kxliqpog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwClose [0x90590606] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0x9059005A] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0x9058FD3C] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0x90591652] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0x9058FE46] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0x9058FF30] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0x905908CC] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0x90590362] SSDT 8D0022E8 ZwRequestWaitReplyPort SSDT 8D0022E3 ZwSetContextThread SSDT 8D0022ED ZwSetSecurityObject SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0x9058FBBA] SSDT 8D0022F2 ZwSystemDebugControl SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0x90590814] SSDT \??\C:\Windows\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0x90590494] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 1A9 82CC386C 4 Bytes [06, 06, 59, 90] {PUSH ES; PUSH ES; POP ECX; NOP } .text ntkrnlpa.exe!KeSetEvent + 1D9 82CC389C 4 Bytes [5A, 00, 59, 90] {POP EDX; ADD [ECX-0x70], BL} .text ntkrnlpa.exe!KeSetEvent + 1E9 82CC38AC 4 Bytes [3C, FD, 58, 90] {CMP AL, 0xfd; POP EAX; NOP } .text ntkrnlpa.exe!KeSetEvent + 215 82CC38D8 4 Bytes [52, 16, 59, 90] {PUSH EDX; PUSH SS; POP ECX; NOP } .text ntkrnlpa.exe!KeSetEvent + 2D5 82CC3998 4 Bytes [46, FE, 58, 90] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F40A000, 0x21FB4F, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3528] ntdll.dll!DbgUiRemoteBreakin 775ACD44 1 Byte [C3] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\Windows\Explorer.EXE [3400] 0x45670000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272ace598 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272ace598@00247c172d98 0x7A 0x09 0xDC 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272ace598@c87e753ab498 0x70 0xD0 0x39 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@00247c172d98 0xA3 0xD8 0x89 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@f8d0bdba74f4 0x34 0x89 0xC6 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@a0f419be02c8 0x76 0xFC 0x00 0xC9 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272ace598 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272ace598@00247c172d98 0x7A 0x09 0xDC 0x05 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272ace598@c87e753ab498 0x70 0xD0 0x39 0x10 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310@00247c172d98 0xA3 0xD8 0x89 0x39 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310@f8d0bdba74f4 0x34 0x89 0xC6 0x15 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310@a0f419be02c8 0x76 0xFC 0x00 0xC9 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum@Implementing 0x1C 0x00 0x00 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum@Implementing 0x1C 0x00 0x00 0x00 ... ---- Files - GMER 1.0.15 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DB\_avt 512 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes ---- EOF - GMER 1.0.15 ----