GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-21 22:03:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: 5hs2bm18.exe; Driver: C:\Users\hanka\AppData\Local\Temp\pxldikog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\services.exe[660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe[1184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe[1260] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1508] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[2284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[2324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2744] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[2776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] ? C:\Windows\system32\mssprxy.dll [2820] entry point in ".rdata" section 00000000748471e6 .text C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe[2960] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe[4060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4000] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files (x86)\Launch Manager\LManager.exe[728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4016] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076bd8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000076b41401 2 bytes JMP 76bfb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000076b41419 2 bytes JMP 76bfb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000076b41431 2 bytes JMP 76c78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 0000000076b4144a 2 bytes CALL 76bd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 0000000076b414dd 2 bytes JMP 76c787a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076b414f5 2 bytes JMP 76c78978 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 0000000076b4150d 2 bytes JMP 76c78698 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076b41525 2 bytes JMP 76c78a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 0000000076b4153d 2 bytes JMP 76befca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000076b41555 2 bytes JMP 76bf68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 0000000076b4156d 2 bytes JMP 76c78f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000076b41585 2 bytes JMP 76c78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 0000000076b4159d 2 bytes JMP 76c7865c C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 0000000076b415b5 2 bytes JMP 76befd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 0000000076b415cd 2 bytes JMP 76bfb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 0000000076b416b2 2 bytes JMP 76c78e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe[3180] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 0000000076b416bd 2 bytes JMP 76c785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[2528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\Launch Manager\LMworker.exe[4180] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe[4444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007730ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4560] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] .text E:\5hs2bm18.exe[5752] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2fd 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef75c741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef75c5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef75c5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef75c5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef75c7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef75c6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef75c6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef75c7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef75c7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef75c78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef75c4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef75c5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef75c7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000069b10000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006aeb0000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180](2014-10-22 00:22:50) 0000000070ae0000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000068b20000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50) 000000004a900000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50) 0000000004070000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50) 000000004ad00000 Library c:\users\hanka\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcl47ub.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180](2014-12-21 19:02:53) 0000000003b00000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000069210000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000066430000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000068ff0000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000067e10000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 000000006e740000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180](2014-10-22 00:22:50) 0000000073710000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 000000006df90000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006ab10000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000069a70000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180](2014-10-22 00:22:48) 0000000069990000 Library C:\Users\hanka\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\hanka\AppData\Roaming\Dropbox\bin\Dropbox.exe [3180](2014-10-22 00:22:46) 000000006e090000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ec18be Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ec18be@3017c81a9d58 0xF1 0x60 0xC9 0x8A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ec18be (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ec18be@3017c81a9d58 0xF1 0x60 0xC9 0x8A ... ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-2927703250-4196874000-3457401577-1000 0 bytes File C:\avast! sandbox\S-1-5-21-2927703250-4196874000-3457401577-1000\r218 0 bytes File C:\avast! sandbox\S-1-5-21-2927703250-4196874000-3457401577-1000\r218\5hs2bm18.exe_{9f9b3307-8943-11e4-8710-1c750813111c} 0 bytes File C:\avast! sandbox\S-1-5-21-2927703250-4196874000-3457401577-1000\r218\5hs2bm18.exe_{9f9b330e-8943-11e4-8710-1c750813111c} 0 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{9f9b3309-8943-11e4-8710-1c750813111c}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{9f9b3309-8943-11e4-8710-1c750813111c}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{9f9b3309-8943-11e4-8710-1c750813111c}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{9f9b3310-8943-11e4-8710-1c750813111c}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{9f9b3310-8943-11e4-8710-1c750813111c}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{9f9b3310-8943-11e4-8710-1c750813111c}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----