GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-17 13:55:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC37 465,76GB Running: gol7hzhw.exe; Driver: C:\Users\ww\AppData\Local\Temp\pxldapoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 694 fffff800021a2086 11 bytes [EC, 10, 50, 9C, 6A, 10, 48, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 706 fffff800021a2092 4 bytes [00, 50, B8, BC] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000114e00 7 bytes [C0, 7C, F3, FF, 01, 8C, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 9 fffff96000114e09 2 bytes [06, 02] ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077841401 2 bytes JMP 7623b273 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077841419 2 bytes JMP 7623b39e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077841431 2 bytes JMP 762b9079 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007784144a 2 bytes CALL 762148cd C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000778414dd 2 bytes JMP 762b8972 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000778414f5 2 bytes JMP 762b8b48 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007784150d 2 bytes JMP 762b8868 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077841525 2 bytes JMP 762b8c32 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007784153d 2 bytes JMP 7622fd00 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077841555 2 bytes JMP 76236949 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007784156d 2 bytes JMP 762b9131 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077841585 2 bytes JMP 762b8c92 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007784159d 2 bytes JMP 762b882c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000778415b5 2 bytes JMP 7622fd99 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000778415cd 2 bytes JMP 7623b334 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000778416b2 2 bytes JMP 762b8ff4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWinManProS\ProtectWindowsManager.exe[1196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000778416bd 2 bytes JMP 762b87c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000762187b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077841401 2 bytes JMP 7623b273 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077841419 2 bytes JMP 7623b39e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077841431 2 bytes JMP 762b9079 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007784144a 2 bytes CALL 762148cd C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000778414dd 2 bytes JMP 762b8972 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000778414f5 2 bytes JMP 762b8b48 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007784150d 2 bytes JMP 762b8868 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077841525 2 bytes JMP 762b8c32 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007784153d 2 bytes JMP 7622fd00 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077841555 2 bytes JMP 76236949 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007784156d 2 bytes JMP 762b9131 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077841585 2 bytes JMP 762b8c92 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007784159d 2 bytes JMP 762b882c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000778415b5 2 bytes JMP 7622fd99 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000778415cd 2 bytes JMP 7623b334 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000778416b2 2 bytes JMP 762b8ff4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2080] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000778416bd 2 bytes JMP 762b87c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077841401 2 bytes JMP 7623b273 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077841419 2 bytes JMP 7623b39e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077841431 2 bytes JMP 762b9079 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007784144a 2 bytes CALL 762148cd C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000778414dd 2 bytes JMP 762b8972 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000778414f5 2 bytes JMP 762b8b48 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007784150d 2 bytes JMP 762b8868 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077841525 2 bytes JMP 762b8c32 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007784153d 2 bytes JMP 7622fd00 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077841555 2 bytes JMP 76236949 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007784156d 2 bytes JMP 762b9131 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077841585 2 bytes JMP 762b8c92 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007784159d 2 bytes JMP 762b882c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000778415b5 2 bytes JMP 7622fd99 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000778415cd 2 bytes JMP 7623b334 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000778416b2 2 bytes JMP 762b8ff4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000778416bd 2 bytes JMP 762b87c1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2348:188] 000007fee9749688 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1972] (GG drive overlay/GG Network S.A.)(2015-07-17 08:51:34) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Program Files\ESET\ESET Smart Security\egui.exe [2224] (GG drive overlay/GG Network S.A.)(2015-07-17 08:51:34) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Program Files\Opera x64\opera.exe [1864] (GG drive overlay/GG Network S.A.)( 000000005c080000 ---- EOF - GMER 2.1 ----