GMER 2.2.19882 - http://www.gmer.netRootkit scan 2018-12-15 00:18:28Windows

1. GMER 2.2.19882 - http://www.gmer.net
2. Rootkit scan 2018-12-15 00:18:28
3. Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001e ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB
4. Running: gmer.exe; Driver: C:\Users\Magda\AppData\Local\Temp\kxrdypob.sys
5.  
6.  
7. ---- Kernel code sections - GMER 2.2 ----
8.  
9. .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000108d00 15 bytes [C0, 25, E8, 01, 80, CF, 67, ...]
10. .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000108d10 8 bytes [00, 07, FC, FF, C0, C8, BB, ...]
11.  
12. ---- Devices - GMER 2.2 ----
13.  
14. Device \Driver\amd_sata \Device\0000001f ffffe0019bdb72c0
15. Device \Driver\amd_sata \Device\RaidPort0 ffffe0019bdb72c0
16. Device \Driver\cdrom \Device\CdRom0 ffffe0019d2fe2c0
17. Device \Driver\amd_sata \Device\ScsiPort0 ffffe0019bdb72c0
18. Device \Driver\amd_sata \Device\0000001e ffffe0019bdb72c0
19.  
20. ---- Trace I/O - GMER 2.2 ----
21.  
22. Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe0019bdb92c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys ffffe0019bdb92c0
23. Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0019d1285e0] ffffe0019d1285e0
24. Trace 3 CLASSPNP.SYS[fffff801157a6170] -> nt!IofCallDriver -> [0xffffe0019bb33b30] ffffe0019bb33b30
25. Trace \Driver\amd_xata[0xffffe0019c796da0] -> IRP_MJ_CREATE -> 0xffffe0019bdb92c0 ffffe0019bdb92c0
26. Trace 5 amd_xata.sys[fffff801150c45da] -> nt!IofCallDriver -> \Device\0000001e[0xffffe0019d16a060] ffffe0019d16a060
27. Trace \Driver\amd_sata[0xffffe0019cf81cd0] -> IRP_MJ_CREATE -> 0xffffe0019bdb72c0 ffffe0019bdb72c0
28.  
29. ---- Threads - GMER 2.2 ----
30.  
31. Thread C:\WINDOWS\system32\csrss.exe [5744:6492] fffff960009a42d0
32.  
33. ---- Registry - GMER 2.2 ----
34.  
35. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\programdata\datacardservice\temp\internet manager\setup.exe??\??\c:\programdata\datacardservice\temp\internet manager\??\??\c:\programdata\datacardservice\temp\??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\c:\windows\appcompat\programs\amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\WINDOWS\AppCompat\Programs\Amcache.hve??\??\C:\W
36. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1779720333
37. Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\1008b1a11b8c
38. Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\1008b1a11b8c@dc415f3ee725 0x0F 0xFE 0xEF 0x9F ...
39. Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 74052
40. Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 53081
41. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 656
42. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\DirtyLocalCollections@windows-language 1
43. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xFC 0xA3 0xD2 0xF0 ...
44. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 117
45. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 100
46. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xEB 0xF1 0xFF 0xF0 ...
47. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xEB 0xF1 0xFF 0xF0 ...
48. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 40956
49. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherBandwidthBucketDrainTime 0x44 0x5D 0x9B 0xC2 ...
50. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0
51. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xEB 0xF1 0xFF 0xF0 ...
52. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 130031
53. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xEB 0xF1 0xFF 0xF0 ...
54. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x19 0xB4 0x23 0xF1 ...
55. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x5F 0xC1 0xD2 0xB3 ...
56. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 403
57. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\language@PendingOperations 0
58. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windowspackagesettings\microsoft.bingweather_8wekyb3d8bbwe@PendingOperations 0
59.  
60. ---- Disk sectors - GMER 2.2 ----
61.  
62. Disk \Device\Harddisk0\DR0 unknown MBR code
63.  
64. ---- EOF - GMER 2.2 ----