GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-12 19:47:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC47 931,51GB Running: z8iux3ep.exe; Driver: C:\Users\User\AppData\Local\Temp\agldrpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BBSvc.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BBSvc.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2252] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2252] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000728b1a22 2 bytes [8B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000728b1ad0 2 bytes [8B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000728b1b08 2 bytes [8B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000728b1bba 2 bytes [8B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000728b1bda 2 bytes [8B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe[2572] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe[2572] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3572] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3572] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef678741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef6785f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef6785674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef6785e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef6787f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef6786a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef6786ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef6787b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef6787ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef67878b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef6784fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef6785d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef6787584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1992] (GG drive overlay/GG Network S.A.)(2014-03-08 22:09:00) 000000005c080000 Library C:\Users\User\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUObserver37.gadget\GPUStatusReader.dll (*** suspicious ***) @ C:\Program Files\Windows Sidebar\sidebar.exe [2980] (GPUStatusReader/Orbmu2k)(2013-12-10 14:09:59) 000000006a660000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000073600000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000073300000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572](2014-10-22 00:22:50) 0000000073130000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 000000006e900000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50) 000000004a900000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50) 00000000044e0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50) 000000004ad00000 Library c:\users\user\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprj1nxj.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572](2015-01-12 18:18:14) 0000000003e80000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000067cb0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 00000000618b0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000067f20000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000067700000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000067ef0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572](2014-10-22 00:22:50) 0000000068490000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000067ec0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 00000000676c0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 00000000650a0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572](2014-10-22 00:22:48) 0000000064ee0000 Library C:\Users\User\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2572](2014-10-22 00:22:46) 0000000067500000 ---- EOF - GMER 2.1 ----