GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-01-29 13:02:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-7 ST500DM002-1BD142 rev.KC44 465,76GB Running: 9c9xu2p6.exe; Driver: C:\Users\Seba\AppData\Local\Temp\uwldypow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002ff6000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002ff602f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1732] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1792] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\Explorer.EXE[3104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3688] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3576] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Program Files\Adobe\Adobe Photoshop CS5.1 (64 Bit)\Photoshop.exe[3368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[4648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Windows\system32\taskmgr.exe[6632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Users\Seba\Downloads\FRST64.exe[7076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Users\Seba\Downloads\OTL.exe[6756] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] .text C:\Users\Seba\Downloads\OTL.exe[6756] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000761f1465 2 bytes [1F, 76] .text C:\Users\Seba\Downloads\OTL.exe[6756] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000761f14bb 2 bytes [1F, 76] .text ... * 2 .text C:\Windows\notepad.exe[3288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Windows\notepad.exe[5992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f4eecd 1 byte [62] .text C:\Users\Seba\Downloads\9c9xu2p6.exe[2748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [824:3420] 000007fefa662154 Thread C:\Windows\System32\svchost.exe [252:5792] 000007feef9b6b8c Thread C:\Windows\System32\svchost.exe [252:2800] 000007feef9b1d88 Thread C:\Windows\System32\svchost.exe [320:2644] 000007fef75220c0 Thread C:\Windows\System32\svchost.exe [320:2648] 000007fef75226a8 Thread C:\Windows\System32\svchost.exe [320:2684] 000007fef74f14a0 Thread C:\Windows\System32\svchost.exe [320:2688] 000007fef75229dc Thread C:\Windows\System32\svchost.exe [320:2900] 000007fef6f3a2b0 Thread C:\Windows\System32\svchost.exe [320:2392] 000007fef34f3efc Thread C:\Windows\System32\svchost.exe [320:2508] 000007fef3678a4c Thread C:\Windows\system32\svchost.exe [376:5228] 000007fef375d3c8 Thread C:\Windows\system32\svchost.exe [376:5232] 000007fef375d3c8 Thread C:\Windows\system32\svchost.exe [376:5236] 000007fef375d3c8 Thread C:\Windows\system32\svchost.exe [376:5240] 000007fef375d3c8 Thread C:\Windows\system32\svchost.exe [1180:1220] 000007fefb68341c Thread C:\Windows\system32\svchost.exe [1180:1228] 000007fefb683a2c Thread C:\Windows\system32\svchost.exe [1180:1232] 000007fefb683768 Thread C:\Windows\system32\svchost.exe [1180:1236] 000007fefb685c20 Thread C:\Windows\system32\svchost.exe [1180:2244] 000007fef890bd88 Thread C:\Windows\system32\svchost.exe [1180:2988] 000007fef7b15124 Thread C:\Windows\system32\svchost.exe [1180:3392] 000007fef6445170 Thread C:\Windows\system32\svchost.exe [1180:5188] 000007fefb683900 Thread C:\Windows\System32\spoolsv.exe [1560:2092] 000007fef80110c8 Thread C:\Windows\System32\spoolsv.exe [1560:2100] 000007fef7fd6144 Thread C:\Windows\System32\spoolsv.exe [1560:2104] 000007fef7dc5fd0 Thread C:\Windows\System32\spoolsv.exe [1560:2108] 000007fef7db3438 Thread C:\Windows\System32\spoolsv.exe [1560:2112] 000007fef7dc63ec Thread C:\Windows\System32\spoolsv.exe [1560:2120] 000007fef82f5e5c Thread C:\Windows\System32\spoolsv.exe [1560:2124] 000007fef8d15074 Thread C:\Windows\system32\svchost.exe [1596:1852] 000007fef91e35c0 Thread C:\Windows\system32\svchost.exe [1596:2632] 000007fef91e5600 Thread C:\Windows\system32\svchost.exe [1596:2700] 000007fef71e2940 Thread C:\Windows\system32\svchost.exe [1596:2240] 000007fef66a2888 Thread C:\Windows\system32\svchost.exe [1596:5400] 000007fef66a2a40 Thread C:\Windows\System32\svchost.exe [1812:1840] 000007fefe97a808 Thread C:\Windows\System32\svchost.exe [2020:2036] 000007fefe97a808 Thread C:\Windows\system32\svchost.exe [2912:2928] 000007fefe97a808 Thread C:\Windows\System32\WUDFHost.exe [2948:3032] 000007fef6d324a0 Thread C:\Windows\System32\svchost.exe [5316:548] 000007fef7b19874 Thread C:\Windows\System32\svchost.exe [5504:3952] 000007feef379688 ---- Processes - GMER 2.1 ---- Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (Python Core/Python Software Foundation)(2014-01-29 10:36:05) 000000001e000000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 000000001e8c0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001e7a0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 0000000000390000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 0000000000240000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 0000000010000000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 000000001e800000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 0000000002710000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 0000000002fc0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (wxWidgets for MSW/wxWidgets development team)(2014-01-29 10:36:05) 00000000030f0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wxbase294u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (wxWidgets for MSW/wxWidgets development team)(2014-01-29 10:36:05) 00000000002c0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wxmsw294u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (wxWidgets for MSW/wxWidgets development team)(2014-01-29 10:36:05) 00000000032e0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wxmsw294u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (wxWidgets for MSW/wxWidgets development team)(2014-01-29 10:36:05) 0000000003780000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 00000000027d0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 00000000039c0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wxmsw294u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (wxWidgets for MSW/wxWidgets development team)(2014-01-29 10:36:05) 0000000003a90000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 00000000045d0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 00000000046e0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 000000001d100000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 0000000001f00000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 00000000043b0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001d1a0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001ea10000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001ec80000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001e9b0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001eaa0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 0000000003b30000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 00000000028a0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 0000000003b60000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\wxmsw294u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576] (wxWidgets for MSW/wxWidgets development team)(2014-01-29 10:36:05) 0000000005770000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 0000000003b90000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 00000000057f0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001eb60000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 000000001e980000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001eb90000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001ebf0000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:05) 000000001ec20000 Library C:\Users\Seba\AppData\Local\Temp\_MEI36562\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3576](2014-01-29 10:36:04) 000000001ed40000 ---- EOF - GMER 2.1 ----