GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-06 18:23:52 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0303 298,09GB Running: fvdf3efy.exe; Driver: C:\Users\KOMPJU~1\AppData\Local\Temp\axdyquob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x911A6700] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x91159C1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x91159F62] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x9115A3A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x9114229C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x911598F4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x91142814] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x911426FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x91159DC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x911A9590] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x91142934] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x911A8A24] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x91159E94] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x911A856E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x911422E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x911A6842] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x911A64AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x911A9388] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x9115805C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x911428AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x9114278A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x911A8116] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x911A983C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x911429CA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x911A8780] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x91142A54] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x9115826A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x911A923C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x9115A18C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x9115A01A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x9115A0D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x9115A1FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x911A8F66] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x91159A82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x911A90C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x91142AF6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x911A65B4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x911A82B6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x911A8E0E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x91142B08] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x911A8416] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x911A8920] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x911A99A4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x911A96CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x911A8C64] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x911A86C8] INT 0x51 ? 85770CB8 INT 0x51 ? 878B5F00 INT 0x51 ? 878B5F00 INT 0x51 ? 85770CB8 INT 0x72 ? 878B5F00 INT 0x82 ? 878B5F00 INT 0xA2 ? 878B5F00 INT 0xB3 ? 878B5F00 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 119 822B4764 4 Bytes [00, 67, 1A, 91] {ADD [EDI+0x1a], AH; XCHG ECX, EAX} .text ntkrnlpa.exe!KeSetEvent + 13D 822B4788 8 Bytes [1A, 9C, 15, 91, 62, 9F, 15, ...] {SBB BL, [EBP+EDX+0x159f6291]; XCHG ECX, EAX} .text ntkrnlpa.exe!KeSetEvent + 181 822B47CC 4 Bytes [A8, A3, 15, 91] .text ntkrnlpa.exe!KeSetEvent + 1A9 822B47F4 4 Bytes [9C, 22, 14, 91] {PUSHF ; AND DL, [ECX+EDX*4]} .text ntkrnlpa.exe!KeSetEvent + 1C1 822B480C 4 Bytes [F4, 98, 15, 91] .text ... ? System32\drivers\tajwm.sys System nie może odnaleźć określonej ścieżki. ! .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x80750774] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FC0F000, 0x1FA4DA, 0xE8000020] ? C:\Windows\system32\Drivers\PROCEXP152.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1500] C:\Windows\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1500] ntdll.dll!NtProtectVirtualMemory 773A4BC4 5 Bytes JMP 71D42066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1500] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: dwmapi.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1500] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1500] USER32.dll!SetScrollInfo + 7A8 77237980 4 Bytes [83, 30, D4, 71] ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1532] C:\Windows\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1532] ntdll.dll!NtProtectVirtualMemory 773A4BC4 5 Bytes JMP 71D42066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1532] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: dwmapi.dll ? C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1532] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dll .text C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1532] USER32.dll!SetScrollInfo + 7A8 77237980 4 Bytes [83, 30, D4, 71] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 857741F8 AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys Device \FileSystem\fastfat \FatCdrom 877B81F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys Device \Driver\usbuhci \Device\USBPDO-0 878331F8 Device \Driver\usbuhci \Device\USBPDO-1 878331F8 Device \Driver\usbuhci \Device\USBPDO-2 878331F8 Device \Driver\netbt \Device\NetBT_Tcpip_{9DFFD262-7F03-4A26-85E1-281758DB80FA} 89F551F8 Device \Driver\usbehci \Device\USBPDO-3 877F21F8 Device \Driver\usbuhci \Device\USBPDO-4 878331F8 AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys Device \Driver\usbuhci \Device\USBPDO-5 878331F8 Device \Driver\usbuhci \Device\USBPDO-6 878331F8 Device \Driver\usbehci \Device\USBPDO-7 877F21F8 Device \Driver\cdrom \Device\CdRom0 878191F8 Device \Driver\iaStor \Device\Ide\iaStor0 [836495A0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [836495A0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [836495A0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\netbt \Device\NetBt_Wins_Export 89F551F8 Device \Driver\Smb \Device\NetbiosSmb 89F541F8 Device \Driver\netbt \Device\NetBT_Tcpip_{92021EFA-35B1-48F3-A391-BBC548542F80} 89F551F8 Device \Driver\iScsiPrt \Device\RaidPort0 8797D1F8 AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys Device \Driver\usbuhci \Device\USBFDO-0 878331F8 Device \Driver\usbuhci \Device\USBFDO-1 878331F8 Device \Driver\usbuhci \Device\USBFDO-2 878331F8 Device \Driver\BTHUSB \Device\0000007c bthport.sys Device \Driver\BTHUSB \Device\0000007c bthport.sys Device \Driver\usbehci \Device\USBFDO-3 877F21F8 Device \Driver\usbuhci \Device\USBFDO-4 878331F8 Device \Driver\BTHUSB \Device\0000007e bthport.sys Device \Driver\BTHUSB \Device\0000007e bthport.sys Device \Driver\usbuhci \Device\USBFDO-5 878331F8 Device \Driver\usbuhci \Device\USBFDO-6 878331F8 Device \Driver\usbehci \Device\USBFDO-7 877F21F8 Device \FileSystem\fastfat \Fat 877B81F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys Device \FileSystem\cdfs \Cdfs A67951F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys halmacpi.dll iaStor.sys sptd.sys tcpip.sys NETIO.SYS dxgkrnl.sys atikmdag.sys >>UNKNOWN [0x85770ad8]<< 85770ad8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86c7d590] 86c7d590 Trace 3 CLASSPNP.SYS[8b9a68b3] -> nt!IofCallDriver -> [0x86196f08] 86196f08 Trace 5 acpi.sys[807746bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86114028] 86114028 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015affdca62 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 676 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0015affdca62 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\_avt 512 bytes File C:\ADSM_PData_0150\DragWait.exe 253952 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes ---- EOF - GMER 2.1 ----