GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-20 13:01:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST31000524AS rev.JC4A 931,51GB Running: wjvpl7kk.exe; Driver: C:\Users\Lukasz_2\AppData\Local\Temp\kwdirpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000725c1a22 2 bytes [5C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000725c1ad0 2 bytes [5C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000725c1b08 2 bytes [5C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000725c1bba 2 bytes [5C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000725c1bda 2 bytes [5C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[1420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Program Files (x86)\Steam\Steam.exe[3624] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\Steam\Steam.exe[3624] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Program Files (x86)\ipla\ipla.exe[3716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\ipla\ipla.exe[3716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[4288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[4288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4604] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4604] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[1972] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13ffbbbb0] C:\Windows\system32\mfevtps.exe ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1700] (GG drive overlay/GG Network S.A.)(2012-08-29 19:52:56) 000000005c080000 Process C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 0000000000400000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 000000006fbc0000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 000000006e940000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 000000006a1c0000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 000000006ff00000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 000000006efc0000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [1364](2013-12-26 17:51:07) 000000006ed40000 ---- EOF - GMER 2.1 ----