GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-05 22:45:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c rev. 0,00MB Running: 2k3oxknv.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\ugdyikow.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\Explorer.EXE[2248] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff85a53b0a0 5 bytes JMP 00007ff8546d26d4 ---- Devices - GMER 2.2 ---- Device \Driver\axscsidrv \Device\Scsi\axscsidrv1Port1Path0Target0Lun0 ffffe00032cea2c0 Device \Driver\axscsidrv \Device\Scsi\axscsidrv1 ffffe00032cea2c0 Device \Driver\amd_sata \Device\RaidPort0 ffffe000315f62c0 Device \Driver\cdrom \Device\CdRom0 ffffe00032c002c0 Device \Driver\cdrom \Device\CdRom1 ffffe00032c002c0 Device \Driver\amd_sata \Device\0000002c ffffe000315f62c0 Device \Driver\amd_sata \Device\0000002d ffffe000315f62c0 Device \Driver\amd_sata \Device\ScsiPort0 ffffe000315f62c0 Device \Driver\axscsidrv \Device\ScsiPort1 ffffe00032cea2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe000315f82c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys ffffe000315f82c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000328bb060] ffffe000328bb060 Trace 3 CLASSPNP.SYS[fffff80176202f40] -> nt!IofCallDriver -> [0xffffe00032723b30] ffffe00032723b30 Trace \Driver\amd_xata[0xffffe00032708720] -> IRP_MJ_CREATE -> 0xffffe000315f82c0 ffffe000315f82c0 Trace 5 amd_xata.sys[fffff8017561c5da] -> nt!IofCallDriver -> \Device\0000002c[0xffffe00032726060] ffffe00032726060 Trace \Driver\amd_sata[0xffffe00031ffec60] -> IRP_MJ_CREATE -> 0xffffe000315f62c0 ffffe000315f62c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [724:456] fffff9600099d2d0 Thread C:\WINDOWS\Explorer.Exe [4336:3588] 00000000605577b0 ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\00000000-1465050606-0000-0000-D43D7EEF6E46\jnsmF91C.tmp (*** hidden *** ) [DISABLED] dowidoly <-- ROOTKIT !!! Service C:\Users\Micha?\AppData\Roaming\FuslyPalri\Hoefg.exe (*** hidden *** ) [DISABLED] Giinno <-- ROOTKIT !!! Service C:\Program Files (x86)\00000000-1465050606-0000-0000-D43D7EEF6E46\hnsv109D.tmp (*** hidden *** ) [DISABLED] rijufoze <-- ROOTKIT !!! Service C:\Users\Micha?\AppData\Local\00000000-1465136256-0000-0000-D43D7EEF6E46\qnsqB11A.tmp (*** hidden *** ) [DISABLED] zigipyro <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1671489239 Reg HKLM\SYSTEM\CurrentControlSet\Services\dowidoly@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\dowidoly Reg HKLM\SYSTEM\CurrentControlSet\Services\Giinno@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\Giinno Reg HKLM\SYSTEM\CurrentControlSet\Services\rijufoze@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\rijufoze Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 7084 Reg HKLM\SYSTEM\CurrentControlSet\Services\zigipyro@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\zigipyro Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x0C 0xCC 0xA4 0x00 ... Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationColor -1345170881 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationColorBalance 78 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationAfterglow -1345170881 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationBlurBalance 12 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.2 ----