GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-03 21:17:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-21M2NA0 rev.01.01A01 931,51GB Running: gmer.exe; Driver: C:\Users\Przemo\AppData\Local\Temp\axdiapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076371465 2 bytes [37, 76] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763714bb 2 bytes [37, 76] .text ... * 2 .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076371465 2 bytes [37, 76] .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763714bb 2 bytes [37, 76] .text ... * 2 .text C:\ProgramData\Quotenamron\Quotenamron.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076371465 2 bytes [37, 76] .text C:\ProgramData\Quotenamron\Quotenamron.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000763714bb 2 bytes [37, 76] .text ... * 2 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!GetScrollInfo 000000007477452a 7 bytes JMP 000000007360cd43 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000747745e7 7 bytes JMP 000000007360cd97 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!ShowScrollBar 000000007477467a 5 bytes JMP 000000007360cdeb .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000074774741 5 bytes JMP 000000007360cd5f .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000747788cd 5 bytes JMP 000000007360cdb3 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!GetScrollRange 0000000074778fac 5 bytes JMP 000000007360cd7b .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!EnableScrollBar 000000007477b3b7 7 bytes JMP 000000007360cd27 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000074790207 5 bytes JMP 000000007360cdcf .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076371465 2 bytes [37, 76] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763714bb 2 bytes [37, 76] .text ... * 2 .text E:\gmer\gmer.exe[4700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076371465 2 bytes [37, 76] .text E:\gmer\gmer.exe[4700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763714bb 2 bytes [37, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001008e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001008c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001009654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001009a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010098ac] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [fce8840fed844566] [unknown section] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [fffffcca820fd03b] [unknown section] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortStallExecution] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [fffffc92830fca3b] [unknown section] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [fc80840f00107983] [unknown section] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [fffc59830fc83b08] [unknown section] IAT C:\Windows\System32\Drivers\anbui3dm.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88002cc7870] \SystemRoot\system32\DRIVERS\360Box64.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80066d12c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80066d12c0 Device \Driver\anbui3dm \Device\Scsi\anbui3dm1 fffffa8007cdf2c0 Device \FileSystem\Ntfs \Ntfs fffffa800701c2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007c832c0 Device \Driver\cdrom \Device\CdRom0 fffffa80079e52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{95DB4B4B-E70B-48B5-AB6C-BC25DA15FB8D} fffffa8007a522c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007c832c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007c832c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{82CC4B8A-DE1A-49F6-9CCD-358A6AC49306} fffffa8007a522c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007a522c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80066d12c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007c832c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80066d12c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80066d12c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80066d12c0 Device \Driver\anbui3dm \Device\ScsiPort4 fffffa8007cdf2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80066d12c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80066d12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076e4060] fffffa80076e4060 Trace 3 CLASSPNP.SYS[fffff8800163a43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800723b060] fffffa800723b060 Trace \Driver\atapi[0xfffffa8007174640] -> IRP_MJ_CREATE -> 0xfffffa80066d12c0 fffffa80066d12c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\anbui3dm.SYS (MS AHCI 1.0 Standard Driver/Microsoft Corporation SIGNED)(2010-11-21 03:23:47) fffff88003f55000-fffff88003fa2000 (315392 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3700:3448] 000007fefb852ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3700:3440] 000007feec3bd618 ---- Processes - GMER 2.2 ---- Library C:\??\C:\Program Files (x86)\360\Total Security\safemon\SafeWrapper.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1772] 0000000072620000 Library C:\??\C:\Program Files (x86)\360\Total Security\safemon\SafeWrapper.dll (*** suspicious ***) @ C:\Windows\explorer.exe [4916] 0000000072620000 Library C:\??\C:\Program Files (x86)\360\Total Security\safemon\SafeWrapper.dll (*** suspicious ***) @ C:\Windows\explorer.exe [3648] 0000000072620000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 137568 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBF 0x48 0x63 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xC4 0x60 0x7B 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x72 0x1E 0xE3 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{82cc4b8a-de1a-49f6-9ccd-358a6ac49306}@Dhcpv6MaxLeaseExpireTime 1465024066 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{82cc4b8a-de1a-49f6-9ccd-358a6ac49306}@Dhcpv6LeaseObtainedTime 1464980866 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBF 0x48 0x63 0xAB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xC4 0x60 0x7B 0x31 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x72 0x1E 0xE3 0x6F ... ---- EOF - GMER 2.2 ----