GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-02 22:13:42 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f TOSHIBA_MQ01ABD100 rev.AX0A4M 931.51GB Running: u02xly2g.exe; Driver: C:\Users\Barbara\AppData\Local\Temp\fxliyfoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001c1900 15 bytes [00, 57, F4, 01, 40, 8F, 6E, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960001c1910 11 bytes [00, 41, FC, FF, 00, 79, C7, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe38e1169a 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe38e116a2 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe38e1181a 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe38e11832 4 bytes [E1, 38, FE, 7F] .text C:\Windows\system32\mfevtps.exe[2620] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffe38e1169a 4 bytes [E1, 38, FE, 7F] .text C:\Windows\system32\mfevtps.exe[2620] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffe38e116a2 4 bytes [E1, 38, FE, 7F] .text C:\Windows\system32\mfevtps.exe[2620] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffe38e1181a 4 bytes [E1, 38, FE, 7F] .text C:\Windows\system32\mfevtps.exe[2620] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffe38e11832 4 bytes [E1, 38, FE, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[3408] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe38e1169a 4 bytes [E1, 38, FE, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[3408] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe38e116a2 4 bytes [E1, 38, FE, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[3408] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe38e1181a 4 bytes [E1, 38, FE, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[3408] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe38e11832 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\igfxpers.exe[6240] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe38e1169a 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\igfxpers.exe[6240] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe38e116a2 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\igfxpers.exe[6240] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe38e1181a 4 bytes [E1, 38, FE, 7F] .text C:\Windows\System32\igfxpers.exe[6240] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe38e11832 4 bytes [E1, 38, FE, 7F] .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[5344] C:\Program Files (x86)\Microsoft Office\Office14\XLCall32.dll!Excel4 + 13 0000000057fa1088 2 bytes [FA, 57] .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[5344] C:\Program Files (x86)\Microsoft Office\Office14\XLCall32.dll!Excel4v + 8 0000000057fa1137 2 bytes [FA, 57] .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[5344] C:\Program Files (x86)\Microsoft Office\Office14\XLCall32.dll!LPenHelper + 8 0000000057fa116f 2 bytes [FA, 57] .text C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5952] C:\Program Files (x86)\Microsoft Office\Office14\BCSProxy32.dll!ReleaseMutex + 215 0000000067722338 4 bytes [33, 1D, D1, 15] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [6932:5460] fffff96000968b90 ---- Processes - GMER 2.1 ---- Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (Python Core/Python Software Foundation)(2015-06-02 17:08:11) 000000001e000000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001e8c0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:10) 000000001e7a0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000000210000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000001be0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:10) 0000000010000000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001e800000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000001e30000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000002be0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (wxWidgets for MSW/wxWidgets development team)(2015-06-02 17:08:11) 0000000002d10000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wxbase294u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (wxWidgets for MSW/wxWidgets development team)(2015-06-02 17:08:15) 0000000001c50000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wxmsw294u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (wxWidgets for MSW/wxWidgets development team)(2015-06-02 17:08:11) 0000000002f00000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wxmsw294u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (wxWidgets for MSW/wxWidgets development team)(2015-06-02 17:08:11) 00000000033a0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:10) 00000000034e0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000003db0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wxmsw294u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (wxWidgets for MSW/wxWidgets development team)(2015-06-02 17:08:17) 0000000003e80000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000004140000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000004250000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000004310000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001d100000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000003f20000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001d1a0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001ea10000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001ec80000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:10) 0000000001d10000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001ea40000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 000000001e9b0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 000000001eaa0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001e980000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000003f50000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wxmsw294u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448] (wxWidgets for MSW/wxWidgets development team)(2015-06-02 17:08:15) 0000000003f70000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:10) 0000000003f90000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\_yappi.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000003fa0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:10) 000000001ebf0000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000005390000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 0000000005440000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 000000001eb90000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 0000000005480000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 000000001eb60000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:09) 000000001ec20000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 000000001ed40000 Library C:\Users\Barbara\AppData\Local\Temp\_MEI31002\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4448](2015-06-02 17:08:08) 00000000054a0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----