GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-17 09:51:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000069 ST2000DM rev.CC27 1863,02GB Running: ux682y7l.exe; Driver: C:\Users\ppp\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033ad000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033ad02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [788:3512] 000007fef8242154 Thread C:\Windows\System32\svchost.exe [992:452] 000007fefc7df2c0 Thread C:\Windows\System32\svchost.exe [992:804] 000007fefc6b6204 Thread C:\Windows\System32\svchost.exe [992:1104] 000007fefc292070 Thread C:\Windows\System32\svchost.exe [992:1116] 000007fefc195428 Thread C:\Windows\System32\svchost.exe [992:2280] 000007fef49f6b8c Thread C:\Windows\System32\svchost.exe [992:4916] 000007fef49f1d88 Thread C:\Windows\System32\svchost.exe [992:3716] 000007fefdc120b0 Thread C:\Windows\System32\svchost.exe [992:1420] 000007fefc193118 Thread C:\Windows\system32\svchost.exe [312:3652] 000007fef5b60ea8 Thread C:\Windows\system32\svchost.exe [312:3656] 000007fef5b59db0 Thread C:\Windows\system32\svchost.exe [312:3908] 000007fef5b5aa10 Thread C:\Windows\system32\svchost.exe [312:3940] 000007fef5b61c94 Thread C:\Windows\system32\svchost.exe [492:1212] 000007fefb411a50 Thread C:\Windows\system32\svchost.exe [492:3464] 000007fef73a506c Thread C:\Windows\system32\svchost.exe [492:3472] 000007fef5a31c20 Thread C:\Windows\system32\svchost.exe [492:3476] 000007fef5a31c20 Thread C:\Windows\system32\svchost.exe [492:5020] 000007fef66e5124 Thread C:\Windows\system32\svchost.exe [492:5468] 000007fef5864164 Thread C:\Windows\system32\svchost.exe [492:5548] 000007fef60617f8 Thread C:\Windows\system32\svchost.exe [492:4204] 000007fef5801ab0 Thread C:\Windows\system32\svchost.exe [1108:1148] 000007fefc16341c Thread C:\Windows\system32\svchost.exe [1108:1156] 000007fefc163a2c Thread C:\Windows\system32\svchost.exe [1108:1160] 000007fefc163768 Thread C:\Windows\system32\svchost.exe [1108:1164] 000007fefc165c20 Thread C:\Windows\system32\svchost.exe [1108:1772] 000007fefc163900 Thread C:\Windows\system32\svchost.exe [1108:2688] 000007fef67cbd88 Thread C:\Windows\system32\svchost.exe [1108:3480] 000007fef9d25170 Thread C:\Windows\system32\svchost.exe [1108:440] 000007fef4470098 Thread C:\Windows\system32\svchost.exe [1108:3104] 000007fef66e5124 Thread C:\Windows\System32\spoolsv.exe [1232:2024] 000007fef85b10c8 Thread C:\Windows\System32\spoolsv.exe [1232:2032] 000007fef8576144 Thread C:\Windows\System32\spoolsv.exe [1232:2036] 000007fef8365fd0 Thread C:\Windows\System32\spoolsv.exe [1232:2040] 000007fef8353438 Thread C:\Windows\System32\spoolsv.exe [1232:2044] 000007fef83663ec Thread C:\Windows\System32\spoolsv.exe [1232:1040] 000007fef96c5e5c Thread C:\Windows\System32\spoolsv.exe [1232:1068] 000007fefa9b81b4 Thread C:\Windows\System32\spoolsv.exe [1232:1080] 000007fefa945074 Thread C:\Windows\system32\svchost.exe [1280:1396] 000007fefacd2c70 Thread C:\Windows\system32\svchost.exe [1280:1436] 000007fefacdfb40 Thread C:\Windows\system32\svchost.exe [1280:1452] 000007fefacf1d20 Thread C:\Windows\system32\svchost.exe [1280:1456] 000007fefacdf6f0 Thread C:\Windows\system32\svchost.exe [1280:1956] 000007fef7cc35c0 Thread C:\Windows\system32\svchost.exe [1280:3676] 000007fef7cc5600 Thread C:\Windows\system32\svchost.exe [1280:4064] 000007fef5722940 Thread C:\Windows\system32\svchost.exe [1280:4080] 000007fef4d42888 Thread C:\Windows\system32\svchost.exe [1280:4108] 000007fef4d42a40 Thread C:\Windows\system32\taskhost.exe [1624:1880] 000007fef96e1010 Thread C:\Windows\system32\taskhost.exe [1624:4588] 000007fef9d25170 Thread C:\Windows\Explorer.EXE [1780:1840] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:1852] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:1400] 000007fef8242154 Thread C:\Windows\Explorer.EXE [1780:2120] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2152] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2228] 000007fefc6b6204 Thread C:\Windows\Explorer.EXE [1780:2292] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2296] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2300] 000007fefe0e0168 Thread C:\Windows\Explorer.EXE [1780:2308] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2320] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2336] 000007fefdf9c608 Thread C:\Windows\Explorer.EXE [1780:2428] 000007fef68b2118 Thread C:\Windows\Explorer.EXE [1780:4484] 000007fef96e1010 Thread C:\Windows\Explorer.EXE [1780:2548] 000007fefdf9c608 Thread C:\Windows\system32\svchost.exe [3980:3996] 000007fefdf7a808 Thread C:\Windows\system32\svchost.exe [3980:4036] 000007fef5736e5c Thread C:\Windows\system32\svchost.exe [3980:4040] 000007fef5735708 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4580] 00000000709017a4 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4620] 00000000630cc660 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4628] 0000000062bdfad0 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4796] 000000006259e008 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4848] 000000006b64483d Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4852] 000000006b64483d Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4856] 000000006b64483d Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:5056] 00000000619aaadf Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:5060] 00000000619964c2 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:3076] 00000000619964c2 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4360] 00000000619964c2 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4532] 0000000062bdfad0 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:3636] 0000000062bdfad0 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:3664] 0000000062bdfad0 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:4740] 000000006240d140 Thread C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [4308:5380] 0000000071dc62ee Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4672:4680] 0000000077e42e65 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4672:4756] 00000000649a8f48 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4672:4788] 0000000077e43e85 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4672:4844] 0000000077e43e85 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4672:5108] 0000000077e43e85 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4176] 00000000012f7140 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4276] 00000000012f7140 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4936] 00000000012f7140 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4840] 00000000012f7140 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:3120] 00000000002d8890 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:3888] 000000000140f3b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4768] 000000000140f3b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4896] 000000000140f3b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4772] 000000000140f3b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4136] 000000000140f3b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4380] 000000000b6f86b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4876] 000000000b6f86b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4456] 000000000b6f86b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:896] 000000000b6f86b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4048] 000000000b6f86b0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4912] 000000000b6e56c0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:2128] 0000000001403790 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:2272] 0000000001403d70 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:3732] 0000000001403740 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4816] 0000000058d83d04 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:1636] 0000000058d83d04 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4888] 00000000012f11d0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:3396] 00000000012f11d0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:2480] 00000000012f11d0 Thread C:\Program Files (x86)\Pro Surveillance System\PSSProject.exe [5076:4208] 00000000012f11d0 ---- Processes - GMER 2.1 ---- Library C:\Users\ppp\AppData\Local\Temp\_MEI10842\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2112] (Python Core/Python Software Foundation)(2014-12-17 06:00:35) 000000001e000000 Library C:\Users\ppp\AppData\Local\Temp\_MEI10842\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2112](2014-12-17 06:00:35) 000000001e8c0000 Library C:\Users\ppp\AppData\Local\Temp\_MEI10842\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2112](2014-12-17 06:00:35) 000000001e7a0000 Library C:\Users\ppp\AppData\Local\Temp\_MEI10842\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2112](2014-12-17 06:00:35) 00000000006e0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158305498e Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158305498e (not active ControlSet) ---- EOF - GMER 2.1 ----