GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-09 00:11:20 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545016B9A300 rev.PBBOC60S 149,05GB Running: j36lixf2.exe; Driver: C:\Users\LG\AppData\Local\Temp\pxldapoc.sys ---- System - GMER 2.2 ---- SSDT \??\C:\Windows\system32\drivers\qutmipc.sys ZwOpenKeyEx [0x8D275620] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 12F8 82A50854 4 Bytes JMP 84FCC130 .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1499 82A509F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8A992 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1383 82A91E68 4 Bytes [20, 56, 27, 8D] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8DA0A000, 0x23097E, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[1120] ntdll.dll!RtlCreateProcessParametersEx 77A870F1 5 Bytes JMP 68CD7EE0 C:\Program Files\360\Total Security\safemon\Safehmpg.dll .text C:\Windows\Explorer.EXE[1120] kernel32.dll!CreateProcessInternalW 76E20852 5 Bytes JMP 679F93E0 C:\Program Files\360\Total Security\safemon\safemon.dll .text C:\Windows\Explorer.EXE[1120] SHELL32.dll!SHGetItemFromDataObject + 378 761CEBDC 4 Bytes [20, 81, CD, 68] .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!SetScrollRange 75F38EC5 5 Bytes JMP 675DCDCF C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!GetScrollInfo 75F42DA3 7 Bytes JMP 675DCD43 C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!SetScrollInfo 75F448DA 7 Bytes JMP 675DCD97 C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!GetScrollRange 75F6045A 5 Bytes JMP 675DCD7B C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!SetScrollPos 75F604BE 5 Bytes JMP 675DCDB3 C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!GetScrollPos 75F60E43 5 Bytes JMP 675DCD5F C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!EnableScrollBar 75F619CE 7 Bytes JMP 675DCD27 C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\360\Total Security\safemon\QHSafeTray.exe[2444] USER32.dll!ShowScrollBar 75F63C89 5 Bytes JMP 675DCDEB C:\Program Files\360\Total Security\safemon\360hipsPopWnd.dll .text C:\Program Files\Skype\Phone\Skype.exe[2492] kernel32.dll!MoveFileWithProgressW 76E18E9C 5 Bytes JMP 683C0600 C:\Program Files\360\Total Security\safemon\iNetSafe.dll ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\Ntfs \Ntfs qutmdrv.sys Device \FileSystem\Npfs \Device\NamedPipe 360Box.sys AttachedDevice \FileSystem\fastfat \Fat FLTMGR.SYS AttachedDevice \FileSystem\fastfat \Fat qutmdrv.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 679 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@CED816F3 268 ---- EOF - GMER 2.2 ----