GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-04-03 19:24:00 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: 3d9zdwvh.exe; Driver: C:\Users\Laptop\AppData\Local\Temp\awrdapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000771f1401 2 bytes JMP 759ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000771f1419 2 bytes JMP 759db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000771f1431 2 bytes JMP 75a58609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000771f144a 2 bytes CALL 759b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771f14dd 2 bytes JMP 75a57efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771f14f5 2 bytes JMP 75a580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000771f150d 2 bytes JMP 75a57df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000771f1525 2 bytes JMP 75a581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000771f153d 2 bytes JMP 759cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000771f1555 2 bytes JMP 759db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000771f156d 2 bytes JMP 75a586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000771f1585 2 bytes JMP 75a58222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000771f159d 2 bytes JMP 75a57db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771f15b5 2 bytes JMP 759cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771f15cd 2 bytes JMP 759db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771f16b2 2 bytes JMP 75a58584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771f16bd 2 bytes JMP 75a57d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000771f1401 2 bytes JMP 759ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000771f1419 2 bytes JMP 759db513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000771f1431 2 bytes JMP 75a58609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000771f144a 2 bytes CALL 759b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771f14dd 2 bytes JMP 75a57efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771f14f5 2 bytes JMP 75a580d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000771f150d 2 bytes JMP 75a57df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000771f1525 2 bytes JMP 75a581c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000771f153d 2 bytes JMP 759cf088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000771f1555 2 bytes JMP 759db885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000771f156d 2 bytes JMP 75a586c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000771f1585 2 bytes JMP 75a58222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000771f159d 2 bytes JMP 75a57db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771f15b5 2 bytes JMP 759cf121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771f15cd 2 bytes JMP 759db29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771f16b2 2 bytes JMP 75a58584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Laptop\AppData\Roaming\SearchProtect\bin\cltmng.exe[2864] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771f16bd 2 bytes JMP 75a57d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1408:2800] 000007fefa212a74 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Matrix\The.Matrix.Path.Of.Neo.PC.Game(djDEVASTATE\x2122)\EAX4Unified_redist_4001.exe 1 ---- EOF - GMER 2.1 ----