GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-16 20:42:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-08M2NA0 rev.01.01A01 931,51GB Running: v238z5wr.exe; Driver: C:\Users\MIKOAJ~1\AppData\Local\Temp\uwliypog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8e0 5 bytes JMP 000000010051c520 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f918 5 bytes JMP 000000010051ba10 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9d0 5 bytes JMP 000000010051c27c .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077e5f9e8 5 bytes JMP 000000010051bae4 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 0000000077e5fa00 5 bytes JMP 000000010051c468 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077e5fa18 5 bytes JMP 000000010051ae60 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa30 5 bytes JMP 000000010051a580 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077e5fa80 5 bytes JMP 000000010051a640 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa98 5 bytes JMP 000000010051a6f8 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077e5fac8 5 bytes JMP 0000000100519eac .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb30 5 bytes JMP 000000010051ab3c .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc28 5 bytes JMP 000000010051c3b0 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077e5fc40 5 bytes JMP 000000010051c9d8 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077e5fc70 5 bytes JMP 000000010051c844 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fca0 5 bytes JMP 000000010051b9a8 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd3c 5 bytes JMP 000000010051a7dc .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd54 5 bytes JMP 000000010051cc88 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077e5fd88 5 bytes JMP 000000010051bbc4 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077e5fdb8 5 bytes JMP 000000010051bcac .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 0000000077e5fde8 5 bytes JMP 000000010051a244 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe34 5 bytes JMP 000000010051be3c .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077e5fe4c 5 bytes JMP 000000010051ceac .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 0000000077e5ff7c 5 bytes JMP 000000010051c048 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077e5ff94 5 bytes JMP 000000010051cb60 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 0000000077e5ffac 5 bytes JMP 000000010051a304 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077e5ffdc 5 bytes JMP 0000000100519cdc .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077e5fff4 5 bytes JMP 0000000100519df0 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection 0000000077e60040 5 bytes JMP 000000010051c920 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e60058 5 bytes JMP 0000000100519ecc .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e600a4 5 bytes JMP 000000010051c5f8 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601b4 5 bytes JMP 000000010051a89c .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 0000000077e60218 5 bytes JMP 000000010051a4a8 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077e60804 5 bytes JMP 0000000100519bc8 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077e6090c 5 bytes JMP 0000000100519f2c .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609d4 5 bytes JMP 000000010051c100 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609ec 5 bytes JMP 000000010051aa04 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a34 5 bytes JMP 000000010051a960 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077e60b0c 5 bytes JMP 000000010051a3e4 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077e60b70 5 bytes JMP 000000010051aaa0 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077e60dfc 5 bytes JMP 000000010051afdc .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077e60e14 5 bytes JMP 000000010051b16c .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077e60e44 5 bytes JMP 000000010051c110 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077e60f48 5 bytes JMP 000000010051a134 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077e60f60 5 bytes JMP 000000010051b304 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077e61008 5 bytes JMP 000000010051acdc .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077e6132c 5 bytes JMP 000000010051d038 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6146c 5 bytes JMP 000000010051b3e4 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077e61518 5 bytes JMP 000000010051a068 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 0000000077e61738 5 bytes JMP 000000010051b4a4 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 0000000077e617d0 5 bytes JMP 000000010051b624 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077e61864 5 bytes JMP 000000010051b6cc .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077e61a48 5 bytes JMP 000000010051b770 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077e61b8c 5 bytes JMP 0000000100519f90 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077e61c8c 5 bytes JMP 000000010051bf44 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e60 5 bytes JMP 000000010051b820 .text C:\Program Files (x86)\CPUCooL\CooLSrv.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077e61ea8 5 bytes JMP 000000010051c1d0 .text C:\Users\Mikołaj\AppData\Roaming\TSv\TSvr.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\Users\Mikołaj\AppData\Roaming\TSv\TSvr.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugincontainer.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugincontainer.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\updater.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\Program Files (x86)\Common Files\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\updater.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\7\plugin.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\7\plugin.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\3\plugin.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\3\plugin.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\12\plugin.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\12\plugin.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\7\plugin.exe[3964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\7\plugin.exe[3964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\3\plugin.exe[5160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\3\plugin.exe[5160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\12\plugin.exe[5168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771c1465 2 bytes [1C, 77] .text C:\ProgramData\6b8a269e-46ff-4899-a3e6-0e20ae670c9b\plugins\12\plugin.exe[5168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771c14bb 2 bytes [1C, 77] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1936] (GG drive overlay/GG Network S.A.)(2015-02-26 00:52:55) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A46868B-D440-400B-9B22-F962807E32A6}@LeaseObtainedTime 1447701382 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A46868B-D440-400B-9B22-F962807E32A6}@T1 1447701509 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A46868B-D440-400B-9B22-F962807E32A6}@T2 1447701605 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A46868B-D440-400B-9B22-F962807E32A6}@LeaseTerminatesTime 1447701637 ---- EOF - GMER 2.1 ----