GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-30 13:58:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD5000AAKX-001CA0 rev.15.01H15 465,76GB Running: mf6smjmo.exe; Driver: C:\Users\Artur\AppData\Local\Temp\kglorpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2276] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000751d2097 5 bytes JMP 000000010134fa56 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076671465 2 bytes [67, 76] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000766714bb 2 bytes [67, 76] .text ... * 2 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!EnableWindow 00000000773ad0f0 9 bytes JMP 0000000100f803e8 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!DialogBoxParamW 00000000773c02d0 10 bytes JMP 0000000100f80228 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamW 00000000773c7540 9 bytes JMP 0000000100f80298 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamA 00000000773e2e40 9 bytes JMP 0000000100f802d0 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!DialogBoxParamA 00000000773e2e90 4 bytes JMP 0000000100f80260 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!DialogBoxParamA + 5 00000000773e2e95 2 bytes [CC, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxA 0000000077411188 1 byte JMP 0000000100f80110 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxA + 2 000000007741118a 5 bytes {JMP 0xffffffff89b6ef88} .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxW 00000000774111e4 7 bytes JMP 0000000100f800d8 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxExA 0000000077411240 9 bytes JMP 0000000100f80180 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxExW 0000000077411264 9 bytes JMP 0000000100f80148 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxIndirectA 0000000077411538 6 bytes JMP 0000000100f801f0 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\USER32.dll!MessageBoxIndirectW 0000000077411744 9 bytes JMP 0000000100f801b8 .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007fefe394ec0 9 bytes [68, 78, 03, F8, 00, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefc7a5c54 7 bytes [68, 08, 03, F8, 00, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefc7a5c64 9 bytes [68, 40, 03, F8, 00, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[3896] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe8017a0 9 bytes [68, B0, 03, F8, 00, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 00000000776cf548 7 bytes JMP 0000000101200570 .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 00000000776db0ac 7 bytes JMP 00000001012005a8 .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\kernel32.dll!CreateThread 0000000077296580 9 bytes JMP 00000001012004c8 .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007fefe1875f0 7 bytes [68, E0, 05, 20, 01, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007fefe331180 10 bytes [68, C0, 06, 20, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007fefe331320 7 bytes [68, 50, 06, 20, 01, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007fefe334450 6 bytes [68, 18, 06, 20, 01, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007fefe336720 10 bytes [68, 88, 06, 20, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007fefe394ec0 9 bytes [68, 78, 03, 20, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefc7a5c54 7 bytes [68, 08, 03, 20, 01, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefc7a5c64 9 bytes [68, 40, 03, 20, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2168] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe8017a0 9 bytes [68, B0, 03, 20, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 00000000776cf548 7 bytes JMP 0000000103530570 .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 00000000776db0ac 7 bytes JMP 00000001035305a8 .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\kernel32.dll!CreateThread 0000000077296580 9 bytes JMP 00000001035304c8 .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007fefe1875f0 7 bytes [68, E0, 05, 53, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007fefe331180 10 bytes [68, C0, 06, 53, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007fefe331320 7 bytes [68, 50, 06, 53, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007fefe334450 6 bytes [68, 18, 06, 53, 03, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007fefe336720 10 bytes [68, 88, 06, 53, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007fefe394ec0 9 bytes [68, 78, 03, 53, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefc7a5c54 7 bytes [68, 08, 03, 53, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefc7a5c64 9 bytes [68, 40, 03, 53, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[5920] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe8017a0 9 bytes [68, B0, 03, 53, 03, C3, CC, ...] ---- Processes - GMER 2.1 ---- Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (Python Core/Python Software Foundation)(2015-11-30 11:05:29) 000000001e000000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001e8c0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:27) 000000001e7a0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 00000000004c0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000000240000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000010000000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001e800000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000002e70000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000002f40000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wxbase30u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (wxWidgets base library/wxWidgets development team)(2015-11-30 11:05:29) 0000000003070000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wxbase30u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (wxWidgets network library/wxWidgets development team)(2015-11-30 11:05:29) 00000000003d0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wxmsw30u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (wxWidgets core library/wxWidgets development team)(2015-11-30 11:05:29) 0000000003270000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wxmsw30u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (wxWidgets advanced library/wxWidgets development team)(2015-11-30 11:05:29) 0000000003740000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000003980000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000004450000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wxmsw30u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (wxWidgets html library/wxWidgets development team)(2015-11-30 11:05:29) 00000000026a0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000004520000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000004630000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 00000000046f0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001d1a0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001ea10000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001ec80000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000001e80000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\thumbnails_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000001e90000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\usb_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000001ea0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001ea40000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001e9b0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001d100000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000001ec0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\common.time34.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000002740000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_psutil_windows.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000002750000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001eaa0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001e980000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000005870000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wxmsw30u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924] (wxWidgets webview library/wxWidgets development team)(2015-11-30 11:05:29) 0000000005890000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 00000000058b0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\_yappi.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 00000000058c0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001ebf0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000005930000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 00000000058d0000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001eb90000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000005910000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001eb60000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001ec20000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 000000001ed40000 Library C:\Users\Artur\AppData\Local\Temp\_MEI23962\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2924](2015-11-30 11:05:29) 0000000006b80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000830 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000830@c88447022c72 0xE7 0x91 0xDE 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000830 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000830@c88447022c72 0xE7 0x91 0xDE 0xC2 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Artur\Desktop\AdwCleaner\x00a05.exe 1 ---- EOF - GMER 2.1 ----