GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-03 13:13:47 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 ST500LM000-1EJ162 rev.LVD1 465,76GB Running: jhnmqgsg.exe; Driver: C:\Users\Boogu\AppData\Local\Temp\kwddrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2568] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3096] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Intel Corporation\Intel WiDi\BrcmSetSecurity.exe[3128] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\svchost.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3836] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3948] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4296] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\SearchIndexer.exe[4824] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5080] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[5432] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\System32\WinLogon.exe[5252] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\System32\dwm.exe[2208] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\taskhostex.exe[6676] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\Explorer.EXE[6296] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\igfxEM.exe[6772] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\WINDOWS\system32\igfxHK.exe[6740] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Elantech\ETDCtrl.exe[8032] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4128] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3676] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Elantech\ETDIntelligent.exe[4552] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3244] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Windows\RTFTrack.exe[8100] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Windows\System32\rundll32.exe[5968] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[6004] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[6040] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5728] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 .text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6164] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe65d3ef70 5 bytes JMP 00007fff5acd1270 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [7908:7352] fffff960008472d0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Mobile Partner\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [2828](2014-10-26 16:56:04) 000000006fbc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [2828](2014-10-26 16:56:04) 000000006e940000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [2828](2014-10-26 16:56:04) 000000006a1c0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [2828](2014-10-26 16:56:04) 000000006ff00000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [2828](2014-10-26 16:56:04) 000000006efc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [2828](2014-10-26 16:56:04) 000000006ed40000 Library C:\Users\My\AppData\Local\CloudStation\iconoverlay_v7\IconOverlayDLLs_x64\iconOverlay.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [6296] (TODO: /TODO: )(2014-06-11 14:08:26) 00000000123f0000 Library C:\Users\My\AppData\Local\CloudStation\iconoverlay_v7\IconOverlayDLLs_x64\ContextMenu.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [6296](2014-06-11 14:08:52) 00000000212b0000 Process C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (FILE NOT FOUND) 0000000000400000 Library c:\users\my\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpxlpipz.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328](2015-05-03 10:34:19) 0000000005310000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:24) 0000000069220000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (ICU I18N DLL/The ICU Project)(2015-03-04 21:45:30) 000000004a900000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (ICU Common DLL/The ICU Project)(2015-03-04 21:45:30) 0000000005ac0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (ICU Data DLL/The ICU Project)(2015-03-04 21:45:30) 000000004ad00000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 0000000068950000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000068660000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328](2015-03-04 21:45:30) 00000000685a0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000683c0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000673d0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000671b0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000066f50000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006d2c0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328](2015-03-04 21:45:30) 000000006c420000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 0000000066f20000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000066ee0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000661c0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328](2015-03-04 21:45:30) 0000000065ed0000 Library C:\Users\My\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\My\AppData\Roaming\Dropbox\bin\Dropbox.exe [4328](2015-03-04 21:45:30) 0000000065e90000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----