GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-06 10:34:46 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000061 TOSHIBA_ rev.FG02 Running: luq4912h.exe; Driver: C:\Users\bumi\AppData\Local\Temp\pwriqpob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82E49369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E82D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwResumeThread 8307C40B 1 Byte [CC] {INT 3 } ? System32\Drivers\spxg.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 9083BD81 5 Bytes JMP 86CB41D8 .text ak9cmwf1.SYS 93AE8000 12 Bytes [44, 28, 22, 83, EE, 26, 22, ...] {INC ESP; SUB [EDX], AH; SUB ESI, 0x26; AND AL, [EBX-0x7cddf860]} .text ak9cmwf1.SYS 93AE800D 9 Bytes [07, 22, 83, 48, 2B, 22, 83, ...] {POP ES; AND AL, [EBX-0x7cddd4b8]; ADD [EAX], AL} .text ak9cmwf1.SYS 93AE8017 170 Bytes [00, DE, 87, BA, 83, E6, 85, ...] .text ak9cmwf1.SYS 93AE80C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ak9cmwf1.SYS 93AE80CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text ... PAGE peauth.sys 9A760B9B 72 Bytes [67, E8, 67, 94, DD, 79, AA, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2904] kernel32.dll!SetUnhandledExceptionFilter 7585F4FB 5 Bytes JMP 00581000 C:\Program Files\Common Files\ArcSoft\Bin\ACDbgRpt.dll (ArcSoft Connect Crash Report/ArcSoft Inc.) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83AAC042] \SystemRoot\System32\Drivers\spxg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [83AAC6D6] \SystemRoot\System32\Drivers\spxg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83AAC800] \SystemRoot\System32\Drivers\spxg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [83AAC13E] \SystemRoot\System32\Drivers\spxg.sys IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\ak9cmwf1.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\System32\rundll32.exe[2356] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7544FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[2356] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7544FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[2356] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7544FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[2356] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7544FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 866401F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C287E64B-8156-4B9B-8A95-C8BCD096058E} 86BC7500 Device \Driver\volmgr \Device\VolMgrControl 859861F8 Device \Driver\usbohci \Device\USBPDO-0 86CB31F8 Device \Driver\ACPI_HAL \Device\00000044 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-1 86CB71F8 Device \Driver\nvstor32 \Device\00000061 8663E1F8 Device \Driver\nvstor32 \Device\00000062 8663E1F8 Device \Driver\volmgr \Device\HarddiskVolume1 859861F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 86B8F1F8 Device \Driver\volmgr \Device\HarddiskVolume2 859861F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume3 859861F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 86B8F1F8 Device \Driver\volmgr \Device\HarddiskVolume4 859861F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{5BB8BC48-3C52-48E5-A57F-41C62E2B718A} 86BC7500 Device \Driver\NetBT \Device\NetBt_Wins_Export 86BC7500 Device \Driver\sptd \Device\1363669568 spxg.sys Device \Driver\PCI_PNP9568 \Device\0000004d spxg.sys Device \Driver\nvstor32 \Device\RaidPort0 8663E1F8 Device \Driver\usbohci \Device\USBFDO-0 86CB31F8 Device \Driver\usbehci \Device\USBFDO-1 86CB71F8 Device \Driver\ak9cmwf1 \Device\Scsi\ak9cmwf11 86ED61F8 Device \Driver\ak9cmwf1 \Device\Scsi\ak9cmwf11Port1Path0Target0Lun0 86ED61F8 ---- Threads - GMER 1.0.15 ---- Thread System [4:332] 86C3239F Thread System [4:440] 870930F4 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002185f17c12 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xDB 0x4D 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFA 0x23 0x28 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x36 0x4B 0x21 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002185f17c12 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xF0 0x6C 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFA 0x23 0x28 0x3E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x36 0x4B 0x21 0x84 ... ---- EOF - GMER 1.0.15 ----