GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-24 00:02:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.01.0 698,64GB Running: xu91p35u.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4960:1672] 0000000076817587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4960:2172] 000000006cc18aa6 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4960:3096] 00000000775f2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4960:3112] 00000000775f3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4960:5612] 00000000775f3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4960:2764] 00000000775f3e85 ---- Processes - GMER 2.1 ---- Library C:\Users\user\AppData\Local\Temp\_MEI32322\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (Python Core/Python Software Foundation)(2015-02-23 17:26:07) 000000001e000000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001e8c0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 000000001e7a0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 00000000004a0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 0000000000320000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000010000000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001e800000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000002b40000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 0000000002c00000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (wxWidgets for MSW/wxWidgets development team)(2015-02-23 17:26:07) 0000000002d30000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wxbase294u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (wxWidgets for MSW/wxWidgets development team)(2015-02-23 17:26:07) 0000000000510000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wxmsw294u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (wxWidgets for MSW/wxWidgets development team)(2015-02-23 17:26:07) 0000000002f20000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wxmsw294u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (wxWidgets for MSW/wxWidgets development team)(2015-02-23 17:26:07) 00000000033c0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000003600000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000003f60000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wxmsw294u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (wxWidgets for MSW/wxWidgets development team)(2015-02-23 17:26:08) 0000000004030000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000004260000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 0000000004370000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 0000000001f80000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001d100000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 00000000005a0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001d1a0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001ea10000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001ec80000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 00000000005e0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001ea40000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 000000001e9b0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 000000001eaa0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001e980000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 00000000005f0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wxmsw294u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368] (wxWidgets for MSW/wxWidgets development team)(2015-02-23 17:26:07) 00000000036e0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000003700000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:25:57) 000000001ebf0000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000005510000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 0000000003710000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 000000001eb90000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 000000001eb60000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:07) 0000000005650000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001ec20000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 000000001ed40000 Library C:\Users\user\AppData\Local\Temp\_MEI32322\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [368](2015-02-23 17:26:06) 0000000005660000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9e81f50 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\68-7f-74-cb-6c-e9@TeredoAddress 2001:0:5ef5:79fd:2467:f66a:d111:8309 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 8891 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 26638 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA8 0x24 0x1A 0x73 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9e81f50 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA8 0x24 0x1A 0x73 ... ---- Files - GMER 2.1 ---- File C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1560-0 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1560-0\System.dll 12862976 bytes executable ---- EOF - GMER 2.1 ----