GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-16 19:15:44 Windows 6.2.9200 x64 \Device\Harddisk2\DR2 -> \Device\0000003a Samsung_SSD_850_PRO_256GB rev.EXM01B6Q 238,47GB Running: v12r81v9.exe; Driver: C:\Users\Iksu\AppData\Local\Temp\ugldqpob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000107d00 15 bytes [00, A9, F3, 01, 80, 64, 6D, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000107d10 11 bytes [00, 91, FC, FF, 00, BF, CA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffd6c51d050 7 bytes JMP 00007ffe6c4d00d8 .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffd6c541340 7 bytes JMP 00007ffe6c4d0110 .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCreate8 00007ffd57e2c7c0 5 bytes JMP 00007ffd6c4d0180 .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCaptureCreate8 00007ffd57e30b50 7 bytes JMP 00007ffd6c4d05a8 .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCaptureCreate 00007ffd57e47f30 7 bytes JMP 00007ffd6c4d0570 .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundCreate 00007ffd57e48050 7 bytes JMP 00007ffd6c4d0148 .text C:\Windows\System\HsMgr64.exe[2604] C:\Windows\SYSTEM32\DSOUND.dll!DirectSoundFullDuplexCreate 00007ffd57e48170 5 bytes JMP 00007ffd6c4d05e0 ---- Devices - GMER 2.1 ---- Device \Driver\storahci \Device\RaidPort0 ffffe0007cf0b2c0 Device \Driver\cdrom \Device\CdRom0 ffffe0007dc002c0 Device \Driver\storahci \Device\0000003b ffffe0007cf0b2c0 Device \Driver\storahci \Device\00000039 ffffe0007cf0b2c0 Device \Driver\storahci \Device\0000003c ffffe0007cf0b2c0 Device \Driver\storahci \Device\ScsiPort0 ffffe0007cf0b2c0 Device \Driver\storahci \Device\0000003a ffffe0007cf0b2c0 Device \Driver\storahci \Device\00000038 ffffe0007cf0b2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe0007cf0b2c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe0007cf0b2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk2\DR2[0xffffe0007d926770] ffffe0007d926770 Trace 3 CLASSPNP.SYS[fffff80093c02170] -> nt!IofCallDriver -> [0xffffe0007c694e50] ffffe0007c694e50 Trace 5 ACPI.sys[fffff80093878c21] -> nt!IofCallDriver -> [0xffffe0007c68ddf0] ffffe0007c68ddf0 Trace 7 ACPI.sys[fffff80093878c21] -> nt!IofCallDriver -> \Device\0000003a[0xffffe0007c692060] ffffe0007c692060 Trace \Driver\storahci[0xffffe0007c69b8d0] -> IRP_MJ_CREATE -> 0xffffe0007cf0b2c0 ffffe0007cf0b2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [1704:924] fffff960008992d0 ---- Processes - GMER 2.1 ---- Process C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (FILE NOT FOUND) 0000000000400000 Library c:\users\iksu\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpnho8co.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-06-16 06:01:30) 0000000002df0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:24) 000000006cbc0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (ICU I18N DLL/The ICU Project)(2015-03-04 21:45:30) 000000004a900000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (ICU Common DLL/The ICU Project)(2015-03-04 21:45:30) 0000000005990000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (ICU Data DLL/The ICU Project)(2015-03-04 21:45:30) 000000004ad00000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 0000000069dd0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006af40000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 000000006ca70000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000069a10000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065dd0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000697f0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065b70000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006e4b0000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 000000006e630000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 000000006e170000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006ca30000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006b640000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 000000006b560000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 000000006b520000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\QtQuick.2\qtquick2plugin.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 000000006dc00000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\QtQuick\Controls\qtquickcontrolsplugin.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 0000000060a30000 Library C:\Users\Iksu\AppData\Roaming\Dropbox\bin\QtQuick\Window.2\windowplugin.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Roaming\Dropbox\bin\Dropbox.exe [796](2015-03-04 21:45:30) 000000006dbf0000 Process C:\Users\Iksu\AppData\Local\Temp\8680\temp\ViperElite.xyz.exe (*** suspicious ***) @ C:\Users\Iksu\AppData\Local\Temp\8680\temp\ViperElite.xyz.exe [7016](2015-06-16 15:34:50) 0000000001160000 Library C:\Users\Iksu\AppData\Local\Temp\tf696458e3.dll (*** suspicious ***) @ C:\Users\Iksu\AppData\Local\Temp\8680\temp\ViperElite.xyz.exe [7016](2015-06-16 15:34:56) 000000006dc20000 ---- EOF - GMER 2.1 ----