GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-19 13:48:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-5 ST1000DM003-1CH162 rev.CC44 931,51GB Running: 1q7sj7ei.exe; Driver: C:\Users\Simon\AppData\Local\Temp\agtorfoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073771a22 2 bytes [77, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073771ad0 2 bytes [77, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073771b08 2 bytes [77, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073771bba 2 bytes [77, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073771bda 2 bytes [77, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076a13f3c 5 bytes JMP 000000016bfb75f0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076548e4e 5 bytes JMP 000000016bfb6ad0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076550dfb 5 bytes JMP 000000016bfb68b0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076552175 5 bytes JMP 000000016bfb69c0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076553208 5 bytes JMP 000000016bfb6be0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076557b3b 5 bytes JMP 000000016bfb65e0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007656f170 5 bytes JMP 000000016bfb64d0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 00000000765890fc 5 bytes JMP 000000016bfb66f0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 00000000765a7d97 5 bytes JMP 000000016bfb67a0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\ole32.dll!DoDragDrop 000000007595a827 5 bytes JMP 000000016bfb63e0 .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Program Files (x86)\Origin\Origin.exe[920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Spotify\spotify.exe[2248] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007744000c 1 byte [C3] .text C:\Users\Simon\AppData\Roaming\Spotify\spotify.exe[2248] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000774cf85a 5 bytes JMP 000000017747d571 .text C:\Users\Simon\AppData\Roaming\Spotify\spotify.exe[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Spotify\spotify.exe[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe[2472] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe[2472] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[3608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[3608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Simon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE[USER32.dll!MoveWindow] [7fefc331a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE[USER32.dll!DeferWindowPos] [7fefc331de0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE[USER32.dll!EndPaint] [7fefc331f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!MoveWindow] [7fefc331a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7fefc331de0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!EndPaint] [7fefc331f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\ole32.dll[USER32.dll!MoveWindow] [7fefc331a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!EndPaint] [7fefc331f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!MoveWindow] [7fefc331a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\DUser.dll[USER32.dll!EndPaint] [7fefc331f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\DUI70.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\IMM32.dll[USER32.dll!EndPaint] [7fefc331f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\IMM32.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\MSCTF.dll[USER32.dll!MoveWindow] [7fefc331a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\MSCTF.dll[USER32.dll!EndPaint] [7fefc331f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MoveWindow] [7fefc331a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!SetWindowPos] [7fefc331c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [5680:5712] 000007fef1999688 ---- Processes - GMER 2.1 ---- Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:28) 0000000072230000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000006b860000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472](2015-02-10 21:00:30) 000000006aef0000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000065fc0000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (ICU I18N DLL/The ICU Project)(2015-02-10 21:00:30) 000000004a900000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (ICU Common DLL/The ICU Project)(2015-02-10 21:00:30) 0000000004510000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (ICU Data DLL/The ICU Project)(2015-02-10 21:00:30) 000000004ad00000 Library c:\users\simon\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcyh8on.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472](2015-02-19 12:02:29) 0000000003de0000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000060a30000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:26) 000000005fa40000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000005f820000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000005f590000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000005f560000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472](2015-02-10 21:00:30) 000000005f550000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:26) 000000005f520000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000005f4e0000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000005f490000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472](2015-02-10 21:00:28) 000000005f3b0000 Library C:\Users\Simon\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Simon\AppData\Roaming\Dropbox\bin\Dropbox.exe [2472](2015-02-10 21:00:28) 000000005f370000 ---- EOF - GMER 2.1 ----