GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-16 22:24:31 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 ST3320620AS rev.3.AAC 298,09GB Running: ozm2xe5x.exe; Driver: C:\Users\Rafal\AppData\Local\Temp\axldrpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Smart File Advisor\SFAUpdater.exe[3052] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Program Files (x86)\Smart File Advisor\SFAUpdater.exe[3052] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000075791401 2 bytes JMP 75abeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000075791419 2 bytes JMP 75acb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000075791431 2 bytes JMP 75b48609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007579144a 2 bytes CALL 75aa1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000757914dd 2 bytes JMP 75b47efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000757914f5 2 bytes JMP 75b480d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007579150d 2 bytes JMP 75b47df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000075791525 2 bytes JMP 75b481c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007579153d 2 bytes JMP 75abf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000075791555 2 bytes JMP 75acb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007579156d 2 bytes JMP 75b486c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000075791585 2 bytes JMP 75b48222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007579159d 2 bytes JMP 75b47db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000757915b5 2 bytes JMP 75abf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000757915cd 2 bytes JMP 75acb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000757916b2 2 bytes JMP 75b48584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoSweep.exe[2120] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000757916bd 2 bytes JMP 75b47d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\PluginInstall.exe[868] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Program Files (x86)\IObit\Surfing Protection\PluginInstall.exe[868] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] .text C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe[3496] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe[3496] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075791401 2 bytes JMP 75abeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075791419 2 bytes JMP 75acb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075791431 2 bytes JMP 75b48609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007579144a 2 bytes CALL 75aa1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000757914dd 2 bytes JMP 75b47efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000757914f5 2 bytes JMP 75b480d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007579150d 2 bytes JMP 75b47df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075791525 2 bytes JMP 75b481c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007579153d 2 bytes JMP 75abf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075791555 2 bytes JMP 75acb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007579156d 2 bytes JMP 75b486c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075791585 2 bytes JMP 75b48222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007579159d 2 bytes JMP 75b47db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000757915b5 2 bytes JMP 75abf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000757915cd 2 bytes JMP 75acb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000757916b2 2 bytes JMP 75b48584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Surfing Protection\SPUpdate.exe[3584] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000757916bd 2 bytes JMP 75b47d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000075791401 2 bytes JMP 75abeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000075791419 2 bytes JMP 75acb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000075791431 2 bytes JMP 75b48609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007579144a 2 bytes CALL 75aa1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000757914dd 2 bytes JMP 75b47efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000757914f5 2 bytes JMP 75b480d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007579150d 2 bytes JMP 75b47df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000075791525 2 bytes JMP 75b481c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007579153d 2 bytes JMP 75abf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000075791555 2 bytes JMP 75acb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007579156d 2 bytes JMP 75b486c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000075791585 2 bytes JMP 75b48222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007579159d 2 bytes JMP 75b47db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000757915b5 2 bytes JMP 75abf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000757915cd 2 bytes JMP 75acb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000757916b2 2 bytes JMP 75b48584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\AutoCare.exe[3908] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000757916bd 2 bytes JMP 75b47d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\Rafal\Downloads\ozm2xe5x.exe[2452] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075aa396c 1 byte [C3] .text C:\Users\Rafal\Downloads\ozm2xe5x.exe[2452] C:\Windows\syswow64\kernel32.dll!TerminateProcess 0000000075ab9dd9 1 byte [C3] ---- Processes - GMER 2.1 ---- Library C:\Users\Rafal\AppData\Local\MEGAsync\ShellExtX64.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2792](2014-05-01 14:13:20) 000007fefa5b0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3F 0x08 0xC1 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3F 0x08 0xC1 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 2.1 ----