GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-13 14:31:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2BA30001 465,76GB Running: xrqs2x95.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1040] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000755d8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2704:1936] 0000000074dc7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2704:2732] 0000000071d08aa6 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2704:3100] 00000000772413b5 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2704:4412] 00000000772527e5 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2704:4164] 00000000772527e5 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2704:5412] 00000000772527e5 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [2580](2011-03-14 15:27:34) 000000013f9b0000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2796] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2011-03-14 15:27:28) 0000000000400000 Process C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104](2015-04-1 0000000000400000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104](2015-04-13 07:22:03) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104](2015-04-13 07:22:03) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104](2015-04-13 07:22:03) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3104](201 000000006ed40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 2174 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{1CFF049F-D55F-4076-A2ED-8D3665F6050C} v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe|Name=avast! NG front end| Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{2857C911-C9EE-4133-BADF-D0793560D784} v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe|Name=avast! NG front end| Reg HKLM\SYSTEM\CurrentControlSet\services\VBoxAswDrv@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\VBoxAswDrv ---- EOF - GMER 2.1 ----