GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-27 22:33:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000063 Samsung_ rev.EXT0 111,79GB Running: tcutgh5z.exe; Driver: C:\Users\xbialy\AppData\Local\Temp\fwrdipoc.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800031b2000 46 bytes [11, 00, 48, 8D, 0D, F7, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 497 fffff800031b2031 5 bytes [15, 32, 08, 11, 00] ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\Heimdal\Heimdal.ClientHost.exe[1768] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\Heimdal\Heimdal.ClientHost.exe[1768] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\Heimdal\Heimdal.AgentLoader.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\Heimdal\Heimdal.AgentLoader.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[5752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[5752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\RAPTRI~1\Raptr\raptr_im.exe[5480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\RAPTRI~1\Raptr\raptr_im.exe[5480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\Heimdal\Heimdal.Agent.exe[6736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\Heimdal\Heimdal.Agent.exe[6736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Users\xbialy\Downloads\tcutgh5z.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\xbialy\Downloads\tcutgh5z.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880047bc01c] \SystemRoot\system32\DRIVERS\360Box64.sys [.text] ---- Threads - GMER 2.2 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4628:4588] 0000000077b73e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4628:4572] 00000000773e7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4628:3636] 0000000066289946 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4628:4612] 0000000077b72e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4628:4336] 0000000077b73e85 ---- Processes - GMER 2.2 ---- Library C:\??\C:\Program Files (x86)\360\Total Security\safemon\SafeWrapper.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2460] 0000000069e70000 ---- EOF - GMER 2.2 ----