GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-11 21:15:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 M4-CT128M4SSD1 rev.040H 119,24GB Running: clwesmgn.exe; Driver: C:\Users\MERLIN~1\AppData\Local\Temp\pxldrpob.sys ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3872] 0000000077912e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3900] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3912] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3916] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3928] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3932] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3944] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3948] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3956] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3960] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3968] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:3972] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4004] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4008] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4032] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4036] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4040] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4044] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4052] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:1488] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:2368] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4100] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4692] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4700] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4712] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4716] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4720] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4724] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4728] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:4532] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5328] 0000000077913e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5440] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5796] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5800] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5804] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5808] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5836] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5840] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5900] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:8984] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:8992] 00000000646d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3744:5884] 0000000077913e85 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3380:8000] 000007fefb842a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3380:8004] 000007fedc714830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3380:5780] 000007fedc699d90 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3380:5776] 000007fedc714830 ---- Processes - GMER 2.1 ---- Library C:\Users\Merlin-hs\AppData\Roaming\Copy\overlay\CopyShExt.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1912] (Copy Shell Extensions/Barracuda Networks, Inc.)(2014-01-16 18:52:07) 000007fef85f0000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\overlay\Brt.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1912](2014-01-16 18:52:07) 000007fef4de0000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\Gui.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104](2014-01-02 14:45:18) 000007fef0a80000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\Brt.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104](2014-01-02 15:02:22) 000007feeee00000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\QtCore4.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2013-08-05 22:47:16) 0000000068200000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\QtGui4.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2013-08-05 22:47:16) 0000000067820000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\AgentSync.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104](2014-01-02 14:47:28) 000007feec430000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\CloudSync.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104](2014-01-02 14:45:24) 000007feebf10000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\imageformats\qjpeg4.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Copy\CopyAgent.exe [2104] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2013-08-05 22:47:50) 000007fee3ac0000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808] (Python Core/Python Software Foundation)(2014-08-11 14:01:53) 000000001e000000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 000000001e8c0000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 000000001e7a0000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 0000000001ca0000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 00000000001d0000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 0000000010000000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 000000001e800000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 0000000002eb0000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808](2014-08-11 14:01:53) 0000000002f70000 Library C:\Users\MERLIN~1\AppData\Local\Temp\_MEI26602\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [3808] (wxWidgets for MSW/wxWidgets development team)(2014-08-11 14:01:53) 00000000030a0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [4208] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [4208](2014-04-24 13:18:34) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [4208](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [4208](2014-04-24 13:18:34) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [4208](2014-04-24 13:18:34) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [4208](201 000000006ed40000 Library C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\Dropbox.exe [4396](2014-07-21 20:53:38) 0000000003f60000 Library c:\users\merlin~1\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpxeukvr.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\Dropbox.exe [4396](2014-08-11 14:02:00) 0000000005600000 Library C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\Dropbox.exe [4396](2013-10-18 23:55:02) 0000000056740000 Library C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Merlin-hs\AppData\Roaming\Dropbox\bin\Dropbox.exe [4396] (ICU Data DLL/The ICU Project)(2013-10-18 23:55:00) 00000000551a0000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\overlay\CopyShExt.dll (*** suspicious ***) @ C:\Windows\explorer.exe [9336] (Copy Shell Extensions/Barracuda Networks, Inc.)(2014-01-16 18:52:07) 000007fef85f0000 Library C:\Users\Merlin-hs\AppData\Roaming\Copy\overlay\Brt.dll (*** suspicious ***) @ C:\Windows\explorer.exe [9336](2014-01-16 18:52:07) 000007fef4de0000 ---- EOF - GMER 2.1 ----