GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-05 02:41:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.80.0 465,76GB Running: k0d44q3w.exe; Driver: C:\Users\Aveo\AppData\Local\Temp\ufddrpog.sys ---- User code sections - GMER 2.1 ---- .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlFreeActivationContextStack + 271 0000000077528017 7 bytes JMP 0000000100519d68 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\kernel32.dll!FreeLibrary + 8 0000000076fd3490 7 bytes JMP 0000000100519bac .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\kernel32.dll!GetFileInformationByHandle + 19 0000000076fd5389 7 bytes JMP 00000001004bd04c .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d79d0b 5 bytes JMP 000000011000a4d0 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075d79d4e 5 bytes JMP 000000011000a630 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\GDI32.dll!CreatePen 0000000075b7ba4f 5 bytes JMP 0000000100708004 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000075316c3c 5 bytes JMP 00000001007081b0 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000753235a4 5 bytes JMP 00000001007082e4 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 76ffb21b C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 76ffb346 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 77078ea9 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 76fd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 770787a2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 77078978 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 77078698 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 77078a62 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 76fefca8 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 76ff68ef C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 77078f61 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 77078ac2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 7707865c C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 76fefd41 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 76ffb2dc C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 77078e24 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 770785f1 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000069987e3d 5 bytes JMP 000000011000a690 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 00000000699bde69 5 bytes JMP 000000011000a770 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 00000000699cd2c5 5 bytes JMP 000000011000a8a0 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 00000000699cd371 5 bytes JMP 000000011000a990 .text D:\Program Files\My Lockbox\mylbx.exe[3076] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 00000000699cd429 5 bytes JMP 000000011000aa80 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d79d0b 5 bytes JMP 000000011000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075d79d4e 5 bytes JMP 000000011000a630 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 00000000736f451e 5 bytes JMP 000000011000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 00000000736f4b6d 5 bytes JMP 000000011000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 00000000736f4bf2 5 bytes JMP 000000011000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 00000000736f4f0f 5 bytes JMP 000000011000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 00000000736f4f7b 5 bytes JMP 000000011000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 00000000736f9054 5 bytes JMP 000000011000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 00000000736fadf9 5 bytes JMP 000000011000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000737152e8 5 bytes JMP 000000011000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007371535f 5 bytes JMP 000000011000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000737159cc 5 bytes JMP 000000011000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000073715a6a 5 bytes JMP 000000011000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000073715ad7 5 bytes JMP 000000011000af00 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000073715b5b 5 bytes JMP 000000011000af40 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000073715bba 5 bytes JMP 000000011000af80 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000073715bee 5 bytes JMP 000000011000b000 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000073715c22 5 bytes JMP 000000011000b060 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000073715c67 5 bytes JMP 000000011000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000069987e3d 5 bytes JMP 000000011000a690 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 00000000699bde69 5 bytes JMP 000000011000a770 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 00000000699cd2c5 5 bytes JMP 000000011000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 00000000699cd371 5 bytes JMP 000000011000a990 .text C:\Windows\SysWOW64\HsMgr.exe[3164] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 00000000699cd429 5 bytes JMP 000000011000aa80 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutClose 000007fef59b36ac 4 bytes JMP 000007fefe9101f0 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fef59b3770 4 bytes JMP 000007fefe910298 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fef59b38d0 5 bytes JMP 000007fefe9101b8 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fef59b3ca4 4 bytes JMP 000007fefe910260 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fef59b3d40 4 bytes JMP 000007fefe910228 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInOpen 000007fef59b7fe0 7 bytes JMP 000007fefe910378 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef59ba38c 4 bytes JMP 000007fefe9102d0 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fef59d49f0 4 bytes JMP 000007fefe910308 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fef59d4ab0 4 bytes JMP 000007fefe910340 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInClose 000007fef59d52e0 4 bytes JMP 000007fefe9103b0 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fef59d53c0 4 bytes JMP 000007fefe910490 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fef59d5454 4 bytes JMP 000007fefe9104c8 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fef59d5514 4 bytes JMP 000007fefe910500 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInStart 000007fef59d55a4 6 bytes JMP 000007fefe9103e8 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInStop 000007fef59d55e4 6 bytes JMP 000007fefe910420 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInReset 000007fef59d5624 4 bytes JMP 000007fefe910458 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fef59d567c 4 bytes JMP 000007fefe910538 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007feecfa6944 7 bytes JMP 000007fefe910180 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007feecfc5a84 7 bytes JMP 000007fefe910148 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007feecfc5b90 7 bytes JMP 000007fefe910570 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007feecfc5c94 7 bytes JMP 000007fefe9105a8 .text C:\Windows\system\HsMgr64.exe[3172] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007feecfc5da8 5 bytes JMP 000007fefe9105e0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d79d0b 5 bytes JMP 000000011000a4d0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075d79d4e 5 bytes JMP 000000011000a630 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 76ffb21b C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 76ffb346 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 77078ea9 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 76fd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 770787a2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 77078978 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 77078698 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 77078a62 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 76fefca8 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 76ff68ef C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 77078f61 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 77078ac2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 7707865c C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 76fefd41 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 76ffb2dc C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 77078e24 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 770785f1 C:\Windows\syswow64\kernel32.dll .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 00000000736f451e 5 bytes JMP 000000011000ab40 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 00000000736f4b6d 5 bytes JMP 000000011000abb0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 00000000736f4bf2 5 bytes JMP 000000011000ac90 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 00000000736f4f0f 5 bytes JMP 000000011000ac50 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 00000000736f4f7b 5 bytes JMP 000000011000ac10 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 00000000736f9054 5 bytes JMP 000000011000ad10 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 00000000736fadf9 5 bytes JMP 000000011000abe0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000737152e8 5 bytes JMP 000000011000acd0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007371535f 5 bytes JMP 000000011000acf0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000737159cc 5 bytes JMP 000000011000ae40 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000073715a6a 5 bytes JMP 000000011000aec0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000073715ad7 5 bytes JMP 000000011000af00 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000073715b5b 5 bytes JMP 000000011000af40 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000073715bba 5 bytes JMP 000000011000af80 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000073715bee 5 bytes JMP 000000011000b000 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000073715c22 5 bytes JMP 000000011000b060 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000073715c67 5 bytes JMP 000000011000b0d0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000069987e3d 5 bytes JMP 000000011000a690 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 00000000699bde69 5 bytes JMP 000000011000a770 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 00000000699cd2c5 5 bytes JMP 000000011000a8a0 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 00000000699cd371 5 bytes JMP 000000011000a990 .text D:\Program Files\RocketDock\RocketDock.exe[3212] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 00000000699cd429 5 bytes JMP 000000011000aa80 ? C:\Windows\system32\mssprxy.dll [3212] entry point in ".rdata" section 0000000060bb71e6 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3576] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d79d0b 5 bytes JMP 000000011000a4d0 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[3576] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075d79d4e 5 bytes JMP 000000011000a630 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 76ffb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 76ffb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 77078ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 76fd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 770787a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 77078978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 77078698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 77078a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 76fefca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 76ff68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 77078f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 77078ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 7707865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 76fefd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 76ffb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 77078e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 770785f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 00000000736f451e 5 bytes JMP 000000010028ab40 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 00000000736f4b6d 5 bytes JMP 000000010028abb0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 00000000736f4bf2 5 bytes JMP 000000010028ac90 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 00000000736f4f0f 5 bytes JMP 000000010028ac50 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 00000000736f4f7b 5 bytes JMP 000000010028ac10 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 00000000736f9054 5 bytes JMP 000000010028ad10 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 00000000736fadf9 5 bytes JMP 000000010028abe0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000737152e8 5 bytes JMP 000000010028acd0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007371535f 5 bytes JMP 000000010028acf0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000737159cc 5 bytes JMP 000000010028ae40 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000073715a6a 5 bytes JMP 000000010028aec0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000073715ad7 5 bytes JMP 000000010028af00 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000073715b5b 5 bytes JMP 000000010028af40 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000073715bba 5 bytes JMP 000000010028af80 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000073715bee 5 bytes JMP 000000010028b000 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000073715c22 5 bytes JMP 000000010028b060 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000073715c67 5 bytes JMP 000000010028b0d0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000069987e3d 5 bytes JMP 000000010028a690 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 00000000699bde69 5 bytes JMP 000000010028a770 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 00000000699cd2c5 3 bytes JMP 000000010028a8a0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate + 4 00000000699cd2c9 1 byte [96] .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 00000000699cd371 3 bytes JMP 000000010028a990 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 + 4 00000000699cd375 1 byte [96] .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 00000000699cd429 3 bytes JMP 000000010028aa80 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate + 4 00000000699cd42d 1 byte [96] .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d79d0b 5 bytes JMP 000000010028a4d0 .text C:\Users\Aveo\Desktop\k0d44q3w.exe[5264] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075d79d4e 5 bytes JMP 000000010028a630 ---- Processes - GMER 2.1 ---- Library C:\Users\Aveo\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1736] (GG drive menu/GG Network S.A.)(2015- 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@44d4e076d17f 0x6C 0x2B 0xBA 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@40b0fa3e03be 0x56 0x05 0xCD 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x48 0x0C 0x36 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFE 0x11 0x3D 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@d0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC2 0x73 0x56 0x2F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@44d4e076d17f 0x6C 0x2B 0xBA 0x8A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@40b0fa3e03be 0x56 0x05 0xCD 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x48 0x0C 0x36 0x3C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFE 0x11 0x3D 0x16 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC2 0x73 0x56 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Aveo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 ---- EOF - GMER 2.1 ----