GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-02 16:15:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD321KJ rev.CP100-12 298,09GB Running: f0mc7f0d.exe; Driver: C:\Users\Monix\AppData\Local\Temp\fwddikob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\services.exe[584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1272] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Program Files (x86)\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[2716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2756] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075c887c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2756] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2764] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] .text C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe[3016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] .text C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe[3016] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075491465 2 bytes [49, 75] .text C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe[3016] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000754914bb 2 bytes [49, 75] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[1768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Users\Monix\AppData\Roaming\BitTorrent\BitTorrent.exe[4076] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[148] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] .text C:\Windows\system32\notepad.exe[4772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\notepad.exe[1564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Windows\system32\notepad.exe[3184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757eecd 1 byte [62] .text C:\Users\Monix\Downloads\f0mc7f0d.exe[4600] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075caa322 1 byte [62] ---- Processes - GMER 2.1 ---- Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:44) 000000006e800000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 000000006e500000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016](2015-01-08 20:44:46) 000000006de40000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 000000006d880000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (ICU I18N DLL/The ICU Project)(2015-01-08 20:44:46) 000000004a900000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (ICU Common DLL/The ICU Project)(2015-01-08 20:44:46) 0000000004400000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (ICU Data DLL/The ICU Project)(2015-01-08 20:44:46) 000000004ad00000 Library c:\users\monix\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp_iioa1.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016](2015-02-02 11:24:27) 0000000004000000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 000000006aeb0000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 0000000069e30000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 0000000069c10000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 00000000699b0000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 0000000069980000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016](2015-01-08 20:44:46) 000000006c420000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:44) 000000006c3f0000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 0000000069940000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-01-08 20:44:42) 00000000698f0000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016](2015-01-08 20:44:46) 0000000069810000 Library C:\Users\Monix\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Monix\AppData\Roaming\Dropbox\bin\Dropbox.exe [3016](2015-01-08 20:44:46) 00000000697d0000 ---- EOF - GMER 2.1 ----