GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-15 15:57:56 Windows 6.2.9200 x64 \Device\Harddisk2\DR2 -> \Device\0000003a Samsung_SSD_850_PRO_256GB rev.EXM01B6Q 238,47GB Running: d8tzu2hf.exe; Driver: C:\Users\Iksu\AppData\Local\Temp\ugldqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[920] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce064169a 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\dwm.exe[920] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce06416a2 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\dwm.exe[920] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce064181a 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\dwm.exe[920] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce0641832 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[1012] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce064169a 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[1012] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce06416a2 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[1012] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce064181a 4 bytes [64, E0, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[1012] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce0641832 4 bytes [64, E0, FC, 7F] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce064169a 4 bytes [64, E0, FC, 7F] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce06416a2 4 bytes [64, E0, FC, 7F] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce064181a 4 bytes [64, E0, FC, 7F] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce0641832 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2464] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffce064169a 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2464] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffce06416a2 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2464] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffce064181a 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2464] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffce0641832 4 bytes [64, E0, FC, 7F] .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffce011f9a0 7 bytes JMP 00007ffddffa0110 .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffce012cbe0 7 bytes JMP 00007ffddffa00d8 .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCreate8 00007ffcc3deae88 7 bytes JMP 00007ffcdffa0180 .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCaptureCreate8 00007ffcc3df1d10 7 bytes JMP 00007ffcdffa05a8 .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCaptureCreate 00007ffcc3dfd2dc 7 bytes JMP 00007ffcdffa0570 .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCreate 00007ffcc3dfd3ec 7 bytes JMP 00007ffcdffa0148 .text C:\Windows\System\HsMgr64.exe[4684] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundFullDuplexCreate 00007ffcc3dfd4fc 5 bytes JMP 00007ffcdffa05e0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[4696] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffcc5311f6a 4 bytes [31, C5, FC, 7F] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[4696] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffcc5311f82 4 bytes [31, C5, FC, 7F] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[4696] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce064169a 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[4696] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce06416a2 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[4696] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce064181a 4 bytes [64, E0, FC, 7F] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[4696] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce0641832 4 bytes [64, E0, FC, 7F] ---- Devices - GMER 2.1 ---- Device \Driver\storahci \Device\RaidPort0 ffffe001d67b42c0 Device \Driver\storahci \Device\0000003b ffffe001d67b42c0 Device \Driver\storahci \Device\00000039 ffffe001d67b42c0 Device \Driver\storahci \Device\ScsiPort0 ffffe001d67b42c0 Device \Driver\storahci \Device\0000003a ffffe001d67b42c0 Device \Driver\storahci \Device\00000038 ffffe001d67b42c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe001d67b42c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe001d67b42c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk2\DR2[0xffffe001d7b95060] ffffe001d7b95060 Trace 3 CLASSPNP.SYS[fffff8007d36627b] -> nt!IofCallDriver -> [0xffffe001d79e0c60] ffffe001d79e0c60 Trace 5 ACPI.sys[fffff8007c8357aa] -> nt!IofCallDriver -> [0xffffe001d69f7ae0] ffffe001d69f7ae0 Trace 7 ACPI.sys[fffff8007c8357aa] -> nt!IofCallDriver -> \Device\0000003a[0xffffe001d79df060] ffffe001d79df060 Trace \Driver\storahci[0xffffe001d699a570] -> IRP_MJ_CREATE -> 0xffffe001d67b42c0 ffffe001d67b42c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [620:652] fffff96000884b90 Thread C:\Windows\Explorer.EXE [1648:5416] 00007ffccbc3d73c ---- Processes - GMER 2.1 ---- Library C:\Windows\TEMP\SppExtComObjHook.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [788] 00007ffcc5e10000 Process C:\Users\Iksu\AppData\Roaming\Microsoft\Windows\IEUpdate\efsui.exe (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Microsoft\Windows\IEUpdate\efsui.exe [4904] (ebtyuxyjf jifo vifo ymohbiipu unow/©Wyebugur)(2014-11-18 16:10:47) 0000000140000000 Process C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (FILE NOT FOUND) 0000000000400000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:46) 000000006e6e0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006e3f0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006dd70000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960](2015-03-04 22:08:06) 000000006e330000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (ICU I18N DLL/The ICU Project)(2015-03-04 22:08:06) 000000004a900000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (ICU Common DLL/The ICU Project)(2015-03-04 22:08:06) 0000000004080000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (ICU Data DLL/The ICU Project)(2015-03-04 22:08:06) 000000004ad00000 Library c:\users\iksu\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpnwdsth.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960](2015-03-15 14:51:05) 0000000003950000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006d240000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:46) 000000006c250000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006c030000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006bdd0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006bda0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960](2015-03-04 22:08:06) 000000006bd90000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:46) 000000006bd60000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006bd20000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 22:07:44) 000000006bcd0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960](2015-03-04 22:08:06) 000000006b7c0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [3960](2015-03-04 22:07:48) 000000006b780000 Library C:\Windows\TEMP\SppExtComObjHook.dll (*** suspicious ***) @ C:\Windows\system32\SppExtComObj.exe [5716] 00007ffcc5e10000 ---- EOF - GMER 2.1 ----