GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-18 18:43:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HITACHI_HTS727550A9E364 rev.JF3ZD0H0 465,76GB Running: 9ouiomfr.exe; Driver: C:\Users\T7267~1.SWA\AppData\Local\Temp\pxdyypog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000762a8781 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077541401 2 bytes JMP 762cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077541419 2 bytes JMP 762cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077541431 2 bytes JMP 76348fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007754144a 2 bytes CALL 762a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000775414dd 2 bytes JMP 763488c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000775414f5 2 bytes JMP 76348aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007754150d 2 bytes JMP 763487ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077541525 2 bytes JMP 76348b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007754153d 2 bytes JMP 762bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077541555 2 bytes JMP 762c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007754156d 2 bytes JMP 76349089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077541585 2 bytes JMP 76348bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007754159d 2 bytes JMP 7634877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000775415b5 2 bytes JMP 762bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000775415cd 2 bytes JMP 762cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000775416b2 2 bytes JMP 76348f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[1212] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000775416bd 2 bytes JMP 76348713 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000077541401 2 bytes JMP 762cb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000077541419 2 bytes JMP 762cb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000077541431 2 bytes JMP 76348fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007754144a 2 bytes CALL 762a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000775414dd 2 bytes JMP 763488c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000775414f5 2 bytes JMP 76348aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007754150d 2 bytes JMP 763487ba C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077541525 2 bytes JMP 76348b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007754153d 2 bytes JMP 762bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000077541555 2 bytes JMP 762c68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007754156d 2 bytes JMP 76349089 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000077541585 2 bytes JMP 76348bea C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007754159d 2 bytes JMP 7634877e C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000775415b5 2 bytes JMP 762bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000775415cd 2 bytes JMP 762cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000775416b2 2 bytes JMP 76348f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe[4792] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000775416bd 2 bytes JMP 76348713 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\Users\T.SWACZYNA\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [3120] (GG drive menu/GG Network S.A.)(2015-06-03 12:10:57) 000000005ff80000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\PYTHON27.DLL (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (Python Core/Python Software Foundation)(2015-10-01 06:25:40) 000000001e000000 Library c:\users\t7267~1.swa\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpextd63.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792](2015-11-18 07:41:54) 00000000635c0000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 00000000631d0000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\icuin55.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (ICU I18N DLL/The ICU Project)(2015-07-31 13:45:49) 000000004a900000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\icuuc55.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (ICU Common DLL/The ICU Project)(2015-07-31 13:45:49) 0000000006300000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\icudt55.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (ICU Data DLL/The ICU Project)(2015-07-31 13:45:49) 0000000061910000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 0000000061450000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 0000000061010000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 0000000060e70000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005fe50000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005fc00000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f990000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5WebChannel.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-31 13:45:49) 00000000702a0000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f960000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f920000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f8d0000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f880000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f790000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\plugins\imageformats\qgif.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-10-01 06:25:40) 000000006b9c0000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-07-16 19:37:38) 000000005f750000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\QtQuick.2\qtquick2plugin.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792](2015-07-16 19:37:40) 0000000074da0000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\QtQuick\Controls\qtquickcontrolsplugin.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792](2015-07-16 19:37:38) 0000000073e20000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\QtQuick\Layouts\qquicklayoutsplugin.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792](2015-07-31 13:45:50) 0000000074d80000 Library C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\QtQuick\Window.2\windowplugin.dll (*** suspicious ***) @ C:\Users\T.SWACZYNA\AppData\Roaming\Dropbox\bin\Dropbox.exe [4792](2015-07-16 19:37:40) 0000000074d70000 ---- EOF - GMER 2.1 ----