GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-19 11:13:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS722012K9SA00 rev.DCCOC54P 111,79GB Running: bwlgniek.exe; Driver: C:\Users\Konrad\AppData\Local\Temp\kwriipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800031b9000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800031b902f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800f228d64 12 bytes {MOV RAX, 0xfffffa80038d82a0; JMP RAX} ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010b2650] \SystemRoot\System32\Drivers\spvq.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010b25dc] \SystemRoot\System32\Drivers\spvq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107d35c] \SystemRoot\System32\Drivers\spvq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107d224] \SystemRoot\System32\Drivers\spvq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107da24] \SystemRoot\System32\Drivers\spvq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107dba0] \SystemRoot\System32\Drivers\spvq.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80031ca2c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80031ca2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80031ca2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80031ca2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80031ca2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 fffffa80031ca2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80031ca2c0 Device \Driver\ashfzvrz \Device\Scsi\ashfzvrz1Port5Path0Target0Lun0 fffffa8003bf72c0 Device \Driver\ashfzvrz \Device\Scsi\ashfzvrz1 fffffa8003bf72c0 Device \FileSystem\Ntfs \Ntfs fffffa80031d02c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80038df2c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80038df2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80038df2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800361f2c0 Device \Driver\cdrom \Device\CdRom1 fffffa800361f2c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa800390c2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80038df2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{CEEF7275-5D53-49EA-BD76-45C0FB0D446B} fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80038df2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa800390c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FF8F2F18-BC16-4738-B7C4-285DA68375CF} fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80038df2c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80038df2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80038df2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80031c62c0 Device \Driver\volmgr \Device\FtControl fffffa80031c62c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80031c62c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80031c62c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80036eb2c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa800390c2c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80038df2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80031ca2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa800390c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1FBE4D0F-6FE5-47DD-A7AA-E1C6AAC8398D} fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80038df2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80031ca2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80031ca2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80031ca2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80031ca2c0 Device \Driver\ashfzvrz \Device\ScsiPort5 fffffa8003bf72c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ashfzvrz.SYS fffff88004a1e000-fffff88004a63000 (282624 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@0023b47f8cba 0x44 0xC2 0x07 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@001963975931 0xFA 0xF6 0xCE 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x54 0x0C 0xDF 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC0 0x82 0xE6 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0xC4 0x62 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x81 0x2B 0xC8 0x61 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@0023b47f8cba 0x44 0xC2 0x07 0x8A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@001963975931 0xFA 0xF6 0xCE 0x53 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x54 0x0C 0xDF 0xCB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC0 0x82 0xE6 0x37 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0xC4 0x62 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x81 0x2B 0xC8 0x61 ... ---- EOF - GMER 2.1 ----