GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-02 22:01:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1ER162 rev.CC45 931,51GB Running: jhnmqgsg.exe; Driver: C:\Users\Oskar\AppData\Local\Temp\awddrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 660 fffff800031a7084 13 bytes [00, 00, 81, E1, FF, 0F, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 674 fffff800031a7092 4 bytes [00, B8, 00, 04] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1756] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077700650 5 bytes JMP 0000000102cb0018 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b42ab1 5 bytes JMP 00000001002cf63e .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076273f1c 13 bytes JMP 000000016fcd2c50 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076178e4e 5 bytes JMP 000000016fcd2ac0 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076180dfb 5 bytes JMP 000000016fcd2920 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076182175 5 bytes JMP 000000016fcd2a00 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076183208 5 bytes JMP 000000016fcd2b90 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076187b3b 13 bytes JMP 000000016fcd26c0 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007619f170 13 bytes JMP 000000016fcd2600 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 00000000761b90fc 13 bytes JMP 000000016fcd2780 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 00000000761d7d97 5 bytes JMP 000000016fcd2840 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\ole32.dll!DoDragDrop 00000000774ba827 13 bytes JMP 000000016fcd2540 .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text D:\Origin\Origin.exe[2124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\00000000-1440931890-0000-0000-D8CB8A7719CA\jnsj646.tmp[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\00000000-1440931890-0000-0000-D8CB8A7719CA\jnsj646.tmp[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Windows\system32\PnkBstrA.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Windows\system32\PnkBstrA.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\ProgramData\7WdsManPro7\WdsManPro.exe[3300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\ProgramData\7WdsManPro7\WdsManPro.exe[3300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text D:\Origin\OriginClientService.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text D:\Origin\OriginClientService.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3184:3180] 000007feeeab9688 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 0000000000400000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 000000006fbc0000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 000000006e940000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 000000006a1c0000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 000000006ff00000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 000000006efc0000 Library C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\Cyfrowy Polsat E3276\OnlineUpdate\ouc.exe [2788](2015-07-30 19:32:26) 000000006ed40000 ---- EOF - GMER 2.1 ----