GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-30 19:08:42 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST1000LM024_HN-M101MBB rev.2AR20002 931,51GB Running: gmer.exe; Driver: C:\Users\Victoria\AppData\Local\Temp\ufldqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff80bff28c0 7 bytes JMP 00007ff909a602d0 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ff80bff43d8 7 bytes JMP 00007ff909a60308 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ff80c0a1f20 7 bytes JMP 00007ff909a60378 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ff80c0a40b4 7 bytes JMP 00007ff909a603b0 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ff80c0a4510 7 bytes JMP 00007ff909a60340 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ff80c0a4af0 7 bytes JMP 00007ff909a60260 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff80c0ccea0 7 bytes JMP 00007ff909a60228 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff80c0ccf10 7 bytes JMP 00007ff909a60298 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ff809ac2300 7 bytes JMP 00007ff909a600d8 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ff809ac5770 5 bytes JMP 00007ff909a60180 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ff809ac5860 5 bytes JMP 00007ff909a60148 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff809ac5a30 5 bytes JMP 00007ff909a60110 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ff80a5bb6f4 10 bytes JMP 00007ff909a60490 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ff80a5c45d8 5 bytes JMP 00007ff909a60458 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff80a5c4750 9 bytes JMP 00007ff909a603e8 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ff80a5d4fc0 5 bytes JMP 00007ff909a60420 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff80bea1500 8 bytes JMP 00007ff909a601b8 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff80bea1750 8 bytes JMP 00007ff909a601f0 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ff806cc7a88 5 bytes JMP 00007ff906a60110 .text C:\WINDOWS\system32\dwm.exe[352] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ff806cd4990 5 bytes JMP 00007ff906a600d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[444] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff80c62169a 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[444] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff80c6216a2 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[444] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff80c62181a 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[444] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff80c621832 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[496] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff80c62169a 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[496] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff80c6216a2 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[496] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff80c62181a 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[496] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff80c621832 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff80c62169a 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff80c6216a2 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff80c62181a 4 bytes [62, 0C, F8, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff80c621832 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\Explorer.EXE[3248] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffff1501f6a 4 bytes [50, F1, FF, 7F] .text C:\WINDOWS\Explorer.EXE[3248] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffff1501f82 4 bytes [50, F1, FF, 7F] .text C:\WINDOWS\Explorer.EXE[3248] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff80c62169a 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\Explorer.EXE[3248] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff80c6216a2 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\Explorer.EXE[3248] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff80c62181a 4 bytes [62, 0C, F8, 7F] .text C:\WINDOWS\Explorer.EXE[3248] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff80c621832 4 bytes [62, 0C, F8, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2724] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffff1501f6a 4 bytes [50, F1, FF, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2724] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffff1501f82 4 bytes [50, F1, FF, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [720:1416] fffff96000815b90 Thread C:\WINDOWS\system32\svchost.exe [1292:4080] 00007ffff7974608 Thread C:\WINDOWS\system32\svchost.exe [1292:4084] 00007ffff7951b40 Thread C:\WINDOWS\system32\svchost.exe [1292:6016] 00007ffff7971040 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\DCService.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCService.exe [1456](2010-05-08 11:48:36) 0000000000400000 Process C:\PROGRA~3\ASGVIS\DONGLE~1\STARTV~1.EXE (*** suspicious ***) @ C:\PROGRA~3\ASGVIS\DONGLE~1\STARTV~1.EXE [2356](2014-05-31 21:28:58) 0000000000400000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [3380] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-05-08 11:48:26) 0000000000400000 Process C:\Users\Victoria\AppData\Local\Temp\Rar$EXa0.524\gmer.exe (*** suspicious ***) @ C:\Users\Victoria\AppData\Local\Temp\Rar$EXa0.524\gmer.exe [3848](2014-08-30 17:03:04) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----