GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-18 19:03:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD20EZRX-00D8PB0 rev.80.00A80 1863,02GB Running: gmer.exe; Driver: C:\Users\Czarny\AppData\Local\Temp\axdirpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1520] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075758791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1520] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[1732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2fd 1 byte [62] .text C:\Windows\system32\rundll32.exe[2092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[2228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2fd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2fd 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2fd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[1564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Program Files\WinRAR\WinRAR.exe[3796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755ef8d 1 byte [62] .text C:\Users\Czarny\AppData\Local\Temp\Rar$EXa0.635\gmer.exe[4616] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007577a2fd 1 byte [62] ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3060] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3060](2014-07-13 19:15:27) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3060](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3060](2014-07-13 19:15:27) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3060](2014-07-13 19:15:27) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3060](201 000000006ed40000 Process \\?\C:\Windows\system32\wbem\WMIADAP.EXE (*** suspicious ***) @ \\?\C:\Windows\system32\wbem\WMIADAP.EXE [3496] (WMI Reverse Performance Adapter Maintenance Utility/Microsoft Corporation)(2009-07-13 23:47:22) 00000000ff9b0000 Process C:\Users\Czarny\AppData\Local\Temp\Rar$EXa0.635\gmer.exe (*** suspicious ***) @ C:\Users\Czarny\AppData\Local\Temp\Rar$EXa0.635\gmer.exe [4616](2015-03-18 17:31:23) 0000000000400000 ---- Files - GMER 2.1 ---- File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V\5yOgOkVQvAbShlT8D6oUDAvuArweVLYo5D6rPDZgvf9ImQ+pVAU1hZyWDk5vKS8q7ANhMzid7qt3PEBGpSWC4LdQmEpVKiqylaM1nbd+QDOXddJH0L1h8OK1BDieB4iidf5hbXcwH4sFcLTwgW9OJYbblmFL6lFMMwMg6w3MPUMhSQxsmQnxiQUzFQYCDgN+6IxvgJV8fAG51ySYGHzSURgzQkE5 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V\5yOgOkVQvAbShlT8D6oUDAvuArweVLYo5D6rPDZgvf9ImQ+pVAU1hZyWDk5vKS8q7ANhMzid7qt3PEBGpSWC4LdQmEpVKiqylaM1nbd+QDOXddJH0L1h8OK1BDieB4iidf5hbXcwH4sFcLTwgW9OJYbblmFL6lFMMwMg6w3MPUMhSQxsmQnxiQUzFQYCDgN+6IxvgJV8fAG51ySYGHzSURgzQkE5\Z8FGSOAgIKHBSmqdPE7Z 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V\5yOgOkVQvAbShlT8D6oUDAvuArweVLYo5D6rPDZgvf9ImQ+pVAU1hZyWDk5vKS8q7ANhMzid7qt3PEBGpSWC4LdQmEpVKiqylaM1nbd+QDOXddJH0L1h8OK1BDieB4iidf5hbXcwH4sFcLTwgW9OJYbblmFL6lFMMwMg6w3MPUMhSQxsmQnxiQUzFQYCDgN+6IxvgJV8fAG51ySYGHzSURgzQkE5\Z8FGSOAgIKHBSmqdPE7Z\B3mmDNzxueQFLAaFs8rxpeGjIKcx5SSGnkK 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V\5yOgOkVQvAbShlT8D6oUDAvuArweVLYo5D6rPDZgvf9ImQ+pVAU1hZyWDk5vKS8q7ANhMzid7qt3PEBGpSWC4LdQmEpVKiqylaM1nbd+QDOXddJH0L1h8OK1BDieB4iidf5hbXcwH4sFcLTwgW9OJYbblmFL6lFMMwMg6w3MPUMhSQxsmQnxiQUzFQYCDgN+6IxvgJV8fAG51ySYGHzSURgzQkE5\Z8FGSOAgIKHBSmqdPE7Z\B3mmDNzxueQFLAaFs8rxpeGjIKcx5SSGnkK\CO9gKf6Aw5yLsSC5HjqiC9kRoEIXd7kbVmOMvV4 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V\5yOgOkVQvAbShlT8D6oUDAvuArweVLYo5D6rPDZgvf9ImQ+pVAU1hZyWDk5vKS8q7ANhMzid7qt3PEBGpSWC4LdQmEpVKiqylaM1nbd+QDOXddJH0L1h8OK1BDieB4iidf5hbXcwH4sFcLTwgW9OJYbblmFL6lFMMwMg6w3MPUMhSQxsmQnxiQUzFQYCDgN+6IxvgJV8fAG51ySYGHzSURgzQkE5\Z8FGSOAgIKHBSmqdPE7Z\B3mmDNzxueQFLAaFs8rxpeGjIKcx5SSGnkK\CO9gKf6Aw5yLsSC5HjqiC9kRoEIXd7kbVmOMvV4\lPNqCN4w1vs6xvMuI8X+f 0 bytes File C:\Users\Czarny\AppData\Roaming\TS3Client\cache\remote\image\png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAflBMVEVNZplMZ6BGYpxHY52KncVkfrJXcqlac6ZZdKpedqhcdq1AXJc9WZFCXpllfKtfeK5RbKXo7fjg5vVug6z\2+PxieqxpgbZAWYvO2fDL1u\S2eXU3fHd5PTD0Ozu8vpuhLM\V4l8kb68x92rt86Wp8tRapx4j71edJ+6w9X\pDG9AAABY0lEQVQ4jYWT2VaDMBRFgUgK1BAqLaA4pFSp\v8Pes69DJW1utwkudNueCnRsa+ju9T9Meqj8HCXgHEdhjYlbYuoqYa2DUPA9UNop75E1dSFgfcM6RY\Rh0ephSunj1u73V\5yOgOkVQvAbShlT8D6oUDAvuArweVLYo5D6rPDZgvf9ImQ+pVAU1hZyWDk5vKS8q7ANhMzid7qt3PEBGpSWC4LdQmEpVKiqylaM1nbd+QDOXddJH0L1h8OK1BDieB4iidf5hbXcwH4sFcLTwgW9OJYbblmFL6lFMMwMg6w3MPUMhSQxsmQnxiQUzFQYCDgN+6IxvgJV8fAG51ySYGHzSURgzQkE5\Z8FGSOAgIKHBSmqdPE7Z\B3mmDNzxueQFLAaFs8rxpeGjIKcx5SSGnkK\CO9gKf6Aw5yLsSC5HjqiC9kRoEIXd7kbVmOMvV4\lPNqCN4w1vs6xvMuI8X+f\y9BXixF8yLnMgAAAABJRU5ErkJggg== 550 bytes ---- EOF - GMER 2.1 ----