GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-26 12:46:46 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002a ST1000DM rev.CC46 931,51GB Running: gmer.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwdyakod.sys ---- Kernel code sections - GMER 2.2 ---- PAGEwx4 C:\WINDOWS\System32\drivers\clipsp.sys suspicious modification PAGEwx3 C:\WINDOWS\System32\drivers\clipsp.sys suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserMessageCall 00007ffb9b0c1170 10 bytes {MOV EAX, 0x90844e8; MOVSXD RAX, EAX; JMP RAX} .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserPostMessage 00007ffb9b0c1270 10 bytes {MOV EAX, 0x90848b4; MOVSXD RAX, EAX; JMP RAX} .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserQueryWindow 00007ffb9b0c1290 10 bytes {MOV EAX, 0x90843fc; MOVSXD RAX, EAX; JMP RAX} .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserSetWindowLong 00007ffb9b0c1bf0 10 bytes {MOV EAX, 0x9084654; MOVSXD RAX, EAX; JMP RAX} .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserPostThreadMessage 00007ffb9b0c1c50 10 bytes {MOV EAX, 0x90849f8; MOVSXD RAX, EAX; JMP RAX} .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserSetParent 00007ffb9b0c1f50 10 bytes {MOV EAX, 0x9084798; MOVSXD RAX, EAX; JMP RAX} .text C:\WINDOWS\System32\svchost.exe[5304] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffb9b0c20b0 10 bytes {MOV EAX, 0x9084b10; MOVSXD RAX, EAX; JMP RAX} ? C:\WINDOWS\system32\apphelp.dll [7272] entry point in ".rdata" section 0000000073a9f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!SendDriverMessage] [17280017810] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!mmTaskCreate] [17280027650] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!winmmbaseFreeMMEHandles] [172800272f0] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!DrvGetModuleHandle] [17280015d40] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!mmTaskSignal] [17280027770] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!GetDriverModuleHandle] [17280015d40] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!OpenDriver] [17280013120] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!CloseDriver] [17280013190] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!DefDriverProc] [17280017b00] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!mmGetCurrentTask] [172800275f0] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!mmTaskYield] [17280018a50] IAT C:\WINDOWS\system32\dwm.exe[8] @ C:\WINDOWS\system32\WINMM.dll[WINMMBASE.dll!mmTaskBlock] [17280027600] IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[6488] @ C:\WINDOWS\System32\KERNEL32.DLL[KERNELBASE.dll!MapViewOfFileExNuma] [7ffb98f833f0] C:\WINDOWS\SYSTEM32\EShims.dll IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[6488] @ C:\WINDOWS\SYSTEM32\dui70.dll[USER32.dll!CreateWindowExW] [7ffb98f89c30] C:\WINDOWS\SYSTEM32\EShims.dll IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[5720] @ C:\WINDOWS\System32\KERNEL32.DLL[KERNELBASE.dll!MapViewOfFileExNuma] [7ffb98f833f0] C:\WINDOWS\SYSTEM32\EShims.dll IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[7904] @ C:\WINDOWS\System32\KERNEL32.DLL[KERNELBASE.dll!MapViewOfFileExNuma] [7ffb98f833f0] C:\WINDOWS\SYSTEM32\EShims.dll IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8340] @ C:\WINDOWS\System32\KERNEL32.DLL[KERNELBASE.dll!MapViewOfFileExNuma] [7ffb98f833f0] C:\WINDOWS\SYSTEM32\EShims.dll IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8340] @ C:\WINDOWS\SYSTEM32\dui70.dll[USER32.dll!CreateWindowExW] [7ffb98f89c30] C:\WINDOWS\SYSTEM32\EShims.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [700:6344] ffff89dc0dbb6c20 ---- Processes - GMER 2.2 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2B432A33-7412-4DE1-B1A7-913CA4F8216C}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Windows Defender\MsMpEng.exe [1656] (Microsoft Malware Protection Engine/Microsoft Corporation)(2017-01-26 09:26:49) 00007ffb85c90000 Library C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe (*** suspicious ***) @ C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [4012] 00007ff760400000 Library C:\Program Files\AMD\CNext\CNext\MSVCP120.dll (*** suspicious ***) @ C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [4012] 00007ffb74a40000 Library C:\Program Files\AMD\CNext\CNext\MSVCR120.dll (*** suspicious ***) @ C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [4012] 00007ffb74950000 ---- Services - GMER 2.2 ---- Service C:\Program Files\AMD\CIM\Bin64\atdcm64a.sys (*** hidden *** ) [MANUAL] AtiDCM <-- ROOTKIT !!! Service C:\WINDOWS\System32\DRIVERS\wanarp.sys (*** hidden *** ) [MANUAL] wanarp <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 435 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????????1????r??????????? ???r???r???????r????????R??r???r??????? ???????r???????????????????????????r?????????????r?r???????&???????r???????????r???????????e??%SystemDrive%\Program Files\AMD\AMDKMAFD?P???????????d???h???%???????r???????????????????r???$??1????r???????????????????r???????????r??????????????AMD Radeon(TM) R7 Graphics?Microsoft?}??????????????????????????????????????????????1????r??????????Avivo(TM)???100??r???????r???r??????????????????1????r???r???????????y???????????????????r?????????r?r???????????r?????????r?r??? ??0????r???????r???????????r???????????????????r???r?????????r?r???-??1????r???????????????????????r??????0????r??????????0????r???F???????r???r???????T??100??r??????1????r???r??????1????r???????r??????0????r???r??? ??0????r?????r?r??????1????r???????r???????r???r?????a?r???????r???r???????F??????d????r???t??????0????r???F??????????0????r???F??? 2??r???r???????r??Standard:0,Edge-detect:3?r???????????r???????r??50?r?r??????0(Standard:2,Edge-detect:12) 2(Standard:2) 4(Standard:4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1068552914 Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\4@Timestamp 0x18 0x05 0x27 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0xFD 0xC0 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBC 0xA6 0x4C 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD6 0xAA 0x43 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xB5 0x0E 0xC6 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xB5 0x76 0x8A 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xB5 0xA6 0x01 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 13102 13108 13118 13128 13148 13192 13202 13240 13246 13262 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 13268 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 13269 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 13102 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 13103 ---- EOF - GMER 2.2 ----