GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-27 14:57:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e TOSHIB_ rev.MS2O 931,51GB Running: 1gsy1bl4.exe; Driver: C:\Users\Dav\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.2 ---- .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077321401 2 bytes JMP 7578b233 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077321419 2 bytes JMP 7578b35e C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077321431 2 bytes JMP 75809149 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007732144a 2 bytes CALL 75764885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773214dd 2 bytes JMP 75808a42 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773214f5 2 bytes JMP 75808c18 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007732150d 2 bytes JMP 75808938 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077321525 2 bytes JMP 75808d02 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007732153d 2 bytes JMP 7577fcc0 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077321555 2 bytes JMP 75786907 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007732156d 2 bytes JMP 75809201 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077321585 2 bytes JMP 75808d62 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007732159d 2 bytes JMP 758088fc C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773215b5 2 bytes JMP 7577fd59 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773215cd 2 bytes JMP 7578b2f4 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773216b2 2 bytes JMP 758090c4 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4672] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773216bd 2 bytes JMP 75808891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077321401 2 bytes JMP 7578b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077321419 2 bytes JMP 7578b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077321431 2 bytes JMP 75809149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007732144a 2 bytes CALL 75764885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773214dd 2 bytes JMP 75808a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773214f5 2 bytes JMP 75808c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007732150d 2 bytes JMP 75808938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077321525 2 bytes JMP 75808d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007732153d 2 bytes JMP 7577fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077321555 2 bytes JMP 75786907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007732156d 2 bytes JMP 75809201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077321585 2 bytes JMP 75808d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007732159d 2 bytes JMP 758088fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773215b5 2 bytes JMP 7577fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773215cd 2 bytes JMP 7578b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773216b2 2 bytes JMP 758090c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4772] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773216bd 2 bytes JMP 75808891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077321401 2 bytes JMP 7578b233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077321419 2 bytes JMP 7578b35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077321431 2 bytes JMP 75809149 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007732144a 2 bytes CALL 75764885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773214dd 2 bytes JMP 75808a42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773214f5 2 bytes JMP 75808c18 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007732150d 2 bytes JMP 75808938 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077321525 2 bytes JMP 75808d02 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007732153d 2 bytes JMP 7577fcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077321555 2 bytes JMP 75786907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007732156d 2 bytes JMP 75809201 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077321585 2 bytes JMP 75808d62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007732159d 2 bytes JMP 758088fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773215b5 2 bytes JMP 7577fd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773215cd 2 bytes JMP 7578b2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773216b2 2 bytes JMP 758090c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773216bd 2 bytes JMP 75808891 C:\Windows\syswow64\KERNEL32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [384:2728] 0000000001730e5c Thread C:\Windows\system32\svchost.exe [384:2732] 0000000001730e5c Thread C:\Windows\system32\svchost.exe [384:2736] 0000000001730e5c Thread C:\Windows\system32\svchost.exe [384:2816] 000000000172738c Thread C:\Windows\system32\svchost.exe [384:2820] 000000000172738c ---- EOF - GMER 2.2 ----