GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-05 22:15:22 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 TOSHIBA_MQ01ABF050 rev.AM003M 465,76GB Running: gmer.exe; Driver: C:\Users\KUBADA~1\AppData\Local\Temp\uxdyyfow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000181600 15 bytes [00, F8, 09, 02, 80, 32, 72, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000181610 11 bytes [00, BC, FB, FF, 00, 77, B2, ...] ---- Devices - GMER 2.2 ---- Device \Driver\amd_sata \Device\00000030 ffffe001c0fa92c0 Device \Driver\amd_sata \Device\RaidPort0 ffffe001c0fa92c0 Device \Driver\cdrom \Device\CdRom0 ffffe001c0fe52c0 Device \Driver\amd_sata \Device\00000031 ffffe001c0fa92c0 Device \Driver\amd_sata \Device\ScsiPort0 ffffe001c0fa92c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe001c0fab2c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys ffffe001c0fab2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe001c1dfd060] ffffe001c1dfd060 Trace 3 CLASSPNP.SYS[fffff80046ede27b] -> nt!IofCallDriver -> [0xffffe001c0d81b30] ffffe001c0d81b30 Trace \Driver\amd_xata[0xffffe001c1c87af0] -> IRP_MJ_CREATE -> 0xffffe001c0fab2c0 ffffe001c0fab2c0 Trace 5 amd_xata.sys[fffff800465f25da] -> nt!IofCallDriver -> \Device\00000030[0xffffe001c0d7d060] ffffe001c0d7d060 Trace \Driver\amd_sata[0xffffe001c1c87880] -> IRP_MJ_CREATE -> 0xffffe001c0fa92c0 ffffe001c0fa92c0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1231893800 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@184617cd6a5d 0xE2 0x54 0xAC 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@001167d421c2 0x35 0x85 0xC4 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@58a2b544e579 0x15 0xA2 0x9B 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@1e0e4ef6ab23 0xA3 0xEA 0x9C 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2B 0x65 0xFB 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE@ImagePath C:\Windows\System32\svchost.exe -k WANARE Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE@DisplayName WANARE Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE\Parameters@ServiceDll C:\Users\KubaDamaszk\AppData\Local\WANARE\Snare.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\WANARE Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 9 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----