GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-08 00:57:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-001CA0 rev.15.01H15 465,76GB Running: 8xo8e5tm.exe; Driver: C:\Users\admin\AppData\Local\Temp\uwrdakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000754a2ab1 5 bytes JMP 000000010025f63e .text D:\Programy\AVG\AVG2015\avgnsa.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000177040128 .text D:\Programy\AVG\AVG2015\avgnsa.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000177040018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4692] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Windows\System32\svchost.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000177040128 .text C:\Windows\System32\svchost.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000177040018 .text C:\Windows\System32\svchost.exe[4728] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000077200128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000077200018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2788] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e4db10 1 byte JMP 00000000772000a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2788] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076e4db12 3 bytes {JMP 0x3b2590} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2788] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000077200128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000077200018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e4db10 1 byte JMP 00000000772000a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076e4db12 3 bytes {JMP 0x3b2590} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4832] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Windows\system32\conhost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000077200128 .text C:\Windows\system32\conhost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000077200018 .text C:\Windows\system32\conhost.exe[936] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e4db10 1 byte JMP 00000000772000a0 .text C:\Windows\system32\conhost.exe[936] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076e4db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\conhost.exe[936] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Windows\system32\conhost.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000077200128 .text C:\Windows\system32\conhost.exe[5588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000077200018 .text C:\Windows\system32\conhost.exe[5588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e4db10 1 byte JMP 00000000772000a0 .text C:\Windows\system32\conhost.exe[5588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076e4db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\conhost.exe[5588] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Windows\system32\NOTEPAD.EXE[7432] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000077200128 .text C:\Windows\system32\NOTEPAD.EXE[7432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000077200018 .text C:\Windows\system32\NOTEPAD.EXE[7432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e4db10 1 byte JMP 00000000772000a0 .text C:\Windows\system32\NOTEPAD.EXE[7432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076e4db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\NOTEPAD.EXE[7432] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 .text C:\Windows\system32\calc.exe[6424] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007709dc30 5 bytes JMP 0000000077200128 .text C:\Windows\system32\calc.exe[6424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007709dd50 5 bytes JMP 0000000077200018 .text C:\Windows\system32\calc.exe[6424] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e4db10 1 byte JMP 00000000772000a0 .text C:\Windows\system32\calc.exe[6424] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076e4db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\calc.exe[6424] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbe36590 5 bytes JMP 000007ffef9d1cc0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1168:5540] 000007fef3326b8c Thread C:\Windows\System32\svchost.exe [1168:5544] 000007fef3321d88 Thread C:\Windows\System32\svchost.exe [1168:6184] 000007fef7595fd0 Thread C:\Windows\system32\svchost.exe [1236:3688] 000007feee6dd3c8 Thread C:\Windows\system32\svchost.exe [1236:3228] 000007feee6dd3c8 Thread C:\Windows\system32\svchost.exe [1236:6816] 000007feee6dd3c8 Thread C:\Windows\system32\svchost.exe [1236:2140] 000007feee6dd3c8 Thread C:\Windows\System32\spoolsv.exe [1804:2032] 000007fef7a510c8 Thread C:\Windows\System32\spoolsv.exe [1804:1036] 000007fef77a6144 Thread C:\Windows\System32\spoolsv.exe [1804:1068] 000007fef7595fd0 Thread C:\Windows\System32\spoolsv.exe [1804:1132] 000007fef7583438 Thread C:\Windows\System32\spoolsv.exe [1804:1256] 000007fef75963ec Thread C:\Windows\System32\spoolsv.exe [1804:1360] 000007fef8105e5c Thread C:\Windows\system32\Dwm.exe [2020:2080] 000007fef78bf110 Thread C:\Windows\system32\Dwm.exe [2020:2096] 000007fef6dbabf0 Thread C:\Windows\System32\svchost.exe [2388:2580] 000007fef5fc0360 Thread C:\Windows\System32\svchost.exe [2388:2584] 000007fef5f9e460 Thread C:\Windows\System32\svchost.exe [2388:2588] 000007fef5f9e450 Thread C:\Windows\System32\svchost.exe [2388:2592] 000007fef5f65570 Thread C:\Windows\System32\svchost.exe [2388:2596] 000007fef5f9a130 Thread C:\Windows\System32\svchost.exe [2388:2600] 000007fef5f65560 Thread C:\Windows\System32\svchost.exe [2388:2604] 000007fef5fe82a0 Thread C:\Windows\SysWOW64\ctfmon.exe [3812:3912] 0000000075288cfa Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4692:4248] 000007fefa3b2ae8 Thread C:\Windows\System32\WUDFHost.exe [5116:5188] 000007feed1624a0 Thread C:\Windows\System32\svchost.exe [4728:5988] 000007fef7a85170 ---- Processes - GMER 2.1 ---- Library C:\Users\admin\AppData\Local\Temp\_MEI25242\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (Python Core/Python Software Foundation)(2015-10-07 11:31:05) 000000001e000000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 000000001e8c0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:03) 000000001e7a0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 0000000002690000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:04) 00000000001d0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:04) 0000000010000000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 000000001e800000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:03) 0000000002f10000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:08) 0000000002fe0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wxbase30u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (wxWidgets base library/wxWidgets development team)(2015-10-07 11:31:09) 0000000003110000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wxbase30u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (wxWidgets network library/wxWidgets development team)(2015-10-07 11:31:09) 00000000002b0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wxmsw30u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (wxWidgets core library/wxWidgets development team)(2015-10-07 11:31:09) 0000000003310000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wxmsw30u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (wxWidgets advanced library/wxWidgets development team)(2015-10-07 11:31:09) 00000000037e0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:08) 0000000003a20000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:09) 0000000004530000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wxmsw30u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (wxWidgets html library/wxWidgets development team)(2015-10-07 11:31:10) 0000000004600000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:08) 00000000046a0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:08) 00000000047b0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:05) 0000000004870000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:03) 000000001d1a0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001ea10000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001ec80000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:04) 0000000000580000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\usb_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 0000000001cd0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001ea40000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 000000001e9b0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:03) 000000001d100000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:05) 0000000001f70000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\common.time34.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:04) 0000000001cf0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_psutil_windows.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:03) 0000000001e40000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001eaa0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 000000001e980000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:08) 0000000001fa0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wxmsw30u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760] (wxWidgets webview library/wxWidgets development team)(2015-10-07 11:31:10) 00000000027e0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:03) 0000000003af0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\_yappi.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:04) 0000000004350000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001ebf0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 0000000005a30000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:09) 0000000005ae0000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001eb90000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:06) 0000000004370000 Library C:\Users\admin\AppData\Local\Temp\_MEI25242\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3760](2015-10-07 11:31:07) 000000001eb60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 68620 ---- EOF - GMER 2.1 ----