GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-02 00:28:50 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 Running: 5bfh2o10.exe; Driver: C:\Users\PAWE~1\AppData\Local\Temp\kwddrkog.sys ---- System - GMER 1.0.15 ---- INT 0x51 ? B74782D8 INT 0x52 ? B9885058 INT 0x60 ? B98857D8 INT 0x61 ? B988B558 INT 0x62 ? B98852D8 INT 0x70 ? B988B058 INT 0x71 ? B988B7D8 INT 0x72 ? B9885558 INT 0x80 ? B7478058 INT 0x82 ? B944F558 INT 0x90 ? B7478558 INT 0x92 ? B944F7D8 INT 0xA0 ? B74787D8 INT 0xA2 ? B944FCD8 INT 0xA3 ? B988BA58 INT 0xB0 ? B7478A58 INT 0xB1 ? B7478CD8 INT 0xB2 ? B944F2D8 INT 0xB3 ? B988BCD8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD E2C95579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E2CB9F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Xfire\Xfire.exe[3200] kernel32.dll!CreateProcessA 75B32062 5 Bytes JMP 05B437AC C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] kernel32.dll!CreateThread 75B827FD 5 Bytes JMP 05B43150 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] GDI32.dll!BitBlt 77197180 5 Bytes JMP 05B42BC8 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!InvalidateRgn 75C18099 5 Bytes JMP 05B42DAE C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!CreateDialogParamW 75C19BFF 5 Bytes JMP 05B4329B C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!GetCursorPos 75C1C198 5 Bytes JMP 05B42EE4 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!SetFocus 75C1CBA9 5 Bytes JMP 05B42C78 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!SetForegroundWindow 75C1D3AE 5 Bytes JMP 05B433E9 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!RegisterClassA 75C1E225 5 Bytes JMP 05B430B8 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!CreateWindowExW 75C20E51 5 Bytes JMP 05B43481 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!SetWindowPos 75C23581 5 Bytes JMP 05B4333F C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!RedrawWindow 75C252A2 5 Bytes JMP 05B43017 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!IsWindowVisible 75C26939 7 Bytes JMP 05B4353A C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!GetDC 75C27041 5 Bytes JMP 05B42A99 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!ReleaseDC 75C27055 5 Bytes JMP 05B42B2D C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!BeginPaint 75C27B87 5 Bytes JMP 05B42A05 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!InvalidateRect 75C27BC9 5 Bytes JMP 05B42D10 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!TrackPopupMenu 75C44B3B 5 Bytes JMP 05B43702 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!DialogBoxParamW 75C4564A 5 Bytes JMP 05B431F7 C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!SetCapture 75C46B2A 5 Bytes JMP 05B42E4C C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[3200] USER32.dll!WindowFromPoint 75C46D0C 5 Bytes JMP 05B42F7C C:\Program Files\Xfire\xfire_toucan_44225.dll (Xfire Toucan DLL/Xfire Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/ASUSTek Computer Inc) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- Files - GMER 1.0.15 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 1.0.15 ----