GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-27 11:57:44 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000002d SAMSUNG_SSD_830_Series rev.CXM03B1Q 119,24GB Running: z05tluip.exe; Driver: C:\Users\Grabnet\AppData\Local\Temp\ufdyapog.sys ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [588:628] fffff960008a12d0 ---- Processes - GMER 2.1 ---- Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (Python Core/Python Software Foundation)(2015-03-27 10:23:53) 000000001e000000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001e8c0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001e7a0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000001c20000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000003c0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000010000000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001e800000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000002b70000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000002f10000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (wxWidgets for MSW/wxWidgets development team)(2015-03-27 10:23:53) 0000000003040000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wxbase294u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (wxWidgets for MSW/wxWidgets development team)(2015-03-27 10:23:54) 0000000000630000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wxmsw294u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (wxWidgets for MSW/wxWidgets development team)(2015-03-27 10:23:54) 0000000003230000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wxmsw294u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (wxWidgets for MSW/wxWidgets development team)(2015-03-27 10:23:54) 00000000036d0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000003810000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000040e0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wxmsw294u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (wxWidgets for MSW/wxWidgets development team)(2015-03-27 10:23:54) 0000000001ce0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000043d0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000044e0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000041b0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001d100000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000001ea0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001d1a0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001ea10000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001ec80000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000001ee0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001ea40000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001e9b0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001eaa0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001e980000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000002730000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wxmsw294u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096] (wxWidgets for MSW/wxWidgets development team)(2015-03-27 10:23:54) 0000000005570000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000005590000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:52) 000000001ebf0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000055a0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 0000000005650000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001eb90000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001eb60000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000056a0000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001ec20000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 000000001ed40000 Library C:\Users\Grabnet\AppData\Local\Temp\_MEI43722\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5096](2015-03-27 10:23:53) 00000000056b0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE3 0xA5 0x42 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x3D 0xEA 0x42 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xA0 0x9C 0x0A 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xA0 0x9C 0x0A 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 78 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\DELF017F525M15B0LTL_14_07DB_B1^804B34FC2841D788EEA41D4B818D7AD3@Timestamp 0x64 0xB6 0x43 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 664 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900056 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -935164581 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 80 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 438617534 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 6754 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5814 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 6497213e-5ff0-4ac0-a18f-427ec17 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{ba42fe63-979d-445d-96c6-3e013ba2a561}@LastProbeTime 1427455165 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3361 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 566 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 79 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB1C86C1-8221-45B5-B38E-267287657044}@LeaseObtainedTime 1427451561 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB1C86C1-8221-45B5-B38E-267287657044}@T1 1427451861 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB1C86C1-8221-45B5-B38E-267287657044}@T2 1427452086 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB1C86C1-8221-45B5-B38E-267287657044}@LeaseTerminatesTime 1427452161 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 476 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\iexplore@Count 96 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 991 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Blocked 178 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Count 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Blocked 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore@Count 125 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore@Blocked 125 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Blocked 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x51 0x6E 0x14 0xB1 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x80 0xFF 0xAC 0xBF ... ---- EOF - GMER 2.1 ----