GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-07 20:53:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-22ZAT0 rev.01.01A01 465,76GB Running: w5c5vc4s.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\kwliipow.sys ---- User code sections - GMER 2.1 ---- .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076cb3f1c 5 bytes JMP 000000016d7fab10 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075738e4e 5 bytes JMP 000000016d7fa0b0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075740dfb 5 bytes JMP 000000016d7f9e90 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075742175 5 bytes JMP 000000016d7f9fa0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000075743208 5 bytes JMP 000000016d7fa1c0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000075747b3b 5 bytes JMP 000000016d7f9bc0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007575f170 5 bytes JMP 000000016d7f9ab0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 00000000757790fc 5 bytes JMP 000000016d7f9cd0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 0000000075797d97 5 bytes JMP 000000016d7f9d80 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\ole32.dll!DoDragDrop 00000000771ca827 5 bytes JMP 000000016d7f99c0 .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text D:\Gry Mikołaj\Nowy folder\Origin\Origin.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 .text C:\Program Files (x86)\Steam\Steam.exe[3508] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text C:\Program Files (x86)\Steam\Steam.exe[3508] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 .text C:\Users\Łukasz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.15.4\dsrlte.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text C:\Users\Łukasz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.15.4\dsrlte.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3624] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000718b11a8 2 bytes [8B, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3624] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000718b13a8 2 bytes [8B, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3624] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000718b1422 2 bytes [8B, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3624] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000718b1498 2 bytes [8B, 71] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4008] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4008] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\DCService.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCService.exe [1936](2010-08-19 08:52:04) 0000000000400000 Process C:\ProgramData\2ce8e63b-5e53-4efc-b4cf-6a6e52e017a4\maintainer.exe (*** suspicious ***) @ C:\ProgramData\2ce8e63b-5e53-4efc-b4cf-6a6e52e017a4\maintainer.exe [948](2014-10-04 02:38:59) 0000000000d90000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [1656] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-08-19 08:52:14) 0000000000400000 Process C:\Users\Łukasz\AppData\Roaming\blueconnect\ouc.exe (*** suspicious ***) @ C:\Users\Łukasz\AppData\Roaming\blueconnect\ouc.exe [3552] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2014-05-01 08:06:28) 0000000000400000 ---- EOF - GMER 2.1 ----