GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-10 14:00:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000062 ST925031 rev.0002 232,89GB Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\uwtdapob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000144300 7 bytes [00, A1, F3, FF, 41, B4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000144308 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[3212] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[3212] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000074470000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 00000000731d0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212](2014-10-22 00:22:50) 00000000743b0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000072c10000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50) 000000004a900000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50) 00000000044b0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50) 000000004ad00000 Library c:\users\user\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpd1j4fn.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212](2015-01-10 09:20:58) 0000000004000000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 00000000700e0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 000000006f0f0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 000000006eed0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 000000006ec20000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 000000006eb20000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212](2014-10-22 00:22:50) 000000006eb10000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 000000006e970000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006e840000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006e7f0000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212](2014-10-22 00:22:48) 000000006e660000 Library C:\Users\user\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [3212](2014-10-22 00:22:46) 000000006e620000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ED947985-411D-4B63-A117-954540C13451}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [2972] 000007fef15d0000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ED947985-411D-4B63-A117-954540C13451}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [2972] 000007fef77e0000 Process C:\Users\user\AppData\Local\Temp\7zOA88E.tmp\gmer.exe (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\7zOA88E.tmp\gmer.exe [3884](2015-01-10 10:06:40) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----