GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-22 10:35:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001b ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: p4vevcu2.exe; Driver: C:\Users\Radek\AppData\Local\Temp\fxryrpog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\atiesrxx.exe[904] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[904] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[904] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[904] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2020] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2020] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2020] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2020] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atieclxx.exe[4404] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atieclxx.exe[4404] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atieclxx.exe[4404] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\system32\atieclxx.exe[4404] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\Explorer.EXE[4356] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\Explorer.EXE[4356] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\Explorer.EXE[4356] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\WINDOWS\Explorer.EXE[4356] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[2896] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[2896] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[2896] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[2896] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa21f2169a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa21f216a2 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa21f2181a 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa21f21832 4 bytes [F2, 21, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4184] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa18c11f6a 4 bytes [C1, 18, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4184] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa18c11f82 4 bytes [C1, 18, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4700] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa18c11f6a 4 bytes [C1, 18, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4700] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa18c11f82 4 bytes [C1, 18, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [3380:3792] fffff960008b3b90 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EA4DA470-6917-4D49-AF47-7807F7BFE5F9}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Windows Defender\MsMpEng.exe [1464] (Microsoft Malware Protection Engine/Microsoft Corporation SIGNED)(2014-11-21 13:36:57) 00007ff9f4030000 Process C:\Users\Radek\AppData\Roaming\Dropbox\bin\Dropbox.exe (*** suspicious ***) @ C:\Users\Radek\AppData\Roaming\Dropbox\bin\Dropbox.exe [5624] (FILE NOT FOUND) 0000000000400000 Library C:\Users\Radek\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Radek\AppData\Roaming\Dropbox\bin\Dropbox.exe [5624](2014-11-13 06:49:58) 0000000003a70000 Library c:\users\radek\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpbxiqro.dll (*** suspicious ***) @ C:\Users\Radek\AppData\Roaming\Dropbox\bin\Dropbox.exe [5624](2014-11-22 08:41:10) 0000000004230000 Library C:\Users\Radek\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Radek\AppData\Roaming\Dropbox\bin\Dropbox.exe [5624](2013-08-23 19:01:44) 0000000062220000 Library C:\Users\Radek\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Radek\AppData\Roaming\Dropbox\bin\Dropbox.exe [5624] (ICU Data DLL/The ICU Project)(2013-08-23 19:01:42) 000000006fa10000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----