GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-22 02:30:47 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 TOSHIBA_MQ01ABF050 rev.AM003M 465,76GB Running: lrp2hw90.exe; Driver: C:\Users\KUBADA~1\AppData\Local\Temp\uxdyyfow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e5600 15 bytes [00, F8, 09, 02, 80, 32, 72, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960000e5610 11 bytes [00, BC, FB, FF, 00, 77, B2, ...] ---- User code sections - GMER 2.2 ---- .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b29169a 4 bytes [29, 6B, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2916a2 4 bytes [29, 6B, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b29181a 4 bytes [29, 6B, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b291832 4 bytes [29, 6B, FE, 7F] .text C:\Windows\Explorer.EXE[2936] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b29169a 4 bytes [29, 6B, FE, 7F] .text C:\Windows\Explorer.EXE[2936] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2916a2 4 bytes [29, 6B, FE, 7F] .text C:\Windows\Explorer.EXE[2936] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b29181a 4 bytes [29, 6B, FE, 7F] .text C:\Windows\Explorer.EXE[2936] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b291832 4 bytes [29, 6B, FE, 7F] ---- Devices - GMER 2.2 ---- Device \Driver\amd_sata \Device\00000030 ffffe000fd62a2c0 Device \Driver\amd_sata \Device\RaidPort0 ffffe000fd62a2c0 Device \Driver\cdrom \Device\CdRom0 ffffe000fd7fa2c0 Device \Driver\amd_sata \Device\00000031 ffffe000fd62a2c0 Device \Driver\amd_sata \Device\ScsiPort0 ffffe000fd62a2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe000fd62c2c0]<< sptd.sys amd_xata.sys storport.sys amd_sata.sys hal.dll ffffe000fd62c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000fe5e4060] ffffe000fe5e4060 Trace 3 CLASSPNP.SYS[fffff800fd5aa27b] -> nt!IofCallDriver -> [0xffffe000fe496b30] ffffe000fe496b30 Trace \Driver\amd_xata[0xffffe000fe49c060] -> IRP_MJ_CREATE -> 0xffffe000fd62c2c0 ffffe000fd62c2c0 Trace 5 amd_xata.sys[fffff800fd6605da] -> nt!IofCallDriver -> \Device\00000030[0xffffe000fe498060] ffffe000fe498060 Trace \Driver\amd_sata[0xffffe000fe49f430] -> IRP_MJ_CREATE -> 0xffffe000fd62a2c0 ffffe000fd62a2c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [612:24688] fffff96000979b90 Thread C:\Windows\Explorer.EXE [2936:3364] 00000000051d31dc Thread C:\Windows\System32\skydrive.exe [5752:5940] 00007ffe64b91e40 Thread C:\Windows\SysWOW64\dllhost.exe [3944:1948] 0000000000b408ba Thread C:\Windows\SysWOW64\dllhost.exe [3944:3592] 0000000000b407c7 Thread C:\Windows\SysWOW64\svchost.exe [4532:4648] 00000000007823f1 Thread C:\Windows\SysWOW64\svchost.exe [4532:4684] 00000000035e50bc Thread C:\Windows\SysWOW64\svchost.exe [4532:4692] 00000000008714da Thread C:\Windows\SysWOW64\svchost.exe [4532:4700] 0000000000b92888 Thread C:\Windows\SysWOW64\svchost.exe [4532:3300] 0000000003ae31f1 Thread C:\Windows\SysWOW64\svchost.exe [4532:4716] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4488] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:5808] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:2080] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4736] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4748] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4760] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4744] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4708] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4612] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4816] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4768] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:3352] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4776] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4784] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4792] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:2780] 0000000003c7a626 Thread C:\Windows\SysWOW64\svchost.exe [4532:4800] 0000000003f414ba Thread C:\Windows\SysWOW64\svchost.exe [4532:2668] 00000000073f4437 Thread C:\Windows\SysWOW64\svchost.exe [4532:4856] 0000000007912807 Thread C:\Windows\SysWOW64\svchost.exe [4532:4840] 0000000007aa1e85 Thread C:\Windows\SysWOW64\svchost.exe [4532:4864] 0000000008362a0b ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1725108798 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@184617cd6a5d 0xE2 0x54 0xAC 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@001167d421c2 0x35 0x85 0xC4 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@58a2b544e579 0x15 0xA2 0x9B 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3478386aa@1e0e4ef6ab23 0xA3 0xEA 0x9C 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2B 0x65 0xFB 0x50 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00325.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00326.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00327.log 1048576 bytes File C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\af240590b112075ed2bef414a696e09a\fb3471c19e58ef3a769b66c1075eb602\grouping\edb003B8.log 262144 bytes File C:\Windows\System32\sru\SRU04554.log 65536 bytes ---- EOF - GMER 2.2 ----