GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-31 11:40:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006f TOSHIB_ rev.MS2O 931,51GB Running: 1gsy1bl4.exe; Driver: C:\Users\Dav\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.2 ---- .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075841401 2 bytes JMP 7638b233 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075841419 2 bytes JMP 7638b35e C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075841431 2 bytes JMP 76409149 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007584144a 2 bytes CALL 76364885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758414dd 2 bytes JMP 76408a42 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758414f5 2 bytes JMP 76408c18 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007584150d 2 bytes JMP 76408938 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075841525 2 bytes JMP 76408d02 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007584153d 2 bytes JMP 7637fcc0 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075841555 2 bytes JMP 76386907 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007584156d 2 bytes JMP 76409201 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075841585 2 bytes JMP 76408d62 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007584159d 2 bytes JMP 764088fc C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758415b5 2 bytes JMP 7637fd59 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758415cd 2 bytes JMP 7638b2f4 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758416b2 2 bytes JMP 764090c4 C:\Windows\syswow64\kernel32.dll .text E:\Programy\RocketDock\RocketDock.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758416bd 2 bytes JMP 76408891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075841401 2 bytes JMP 7638b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075841419 2 bytes JMP 7638b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075841431 2 bytes JMP 76409149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007584144a 2 bytes CALL 76364885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758414dd 2 bytes JMP 76408a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758414f5 2 bytes JMP 76408c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007584150d 2 bytes JMP 76408938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075841525 2 bytes JMP 76408d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007584153d 2 bytes JMP 7637fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075841555 2 bytes JMP 76386907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007584156d 2 bytes JMP 76409201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075841585 2 bytes JMP 76408d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007584159d 2 bytes JMP 764088fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758415b5 2 bytes JMP 7637fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758415cd 2 bytes JMP 7638b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758416b2 2 bytes JMP 764090c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758416bd 2 bytes JMP 76408891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075841401 2 bytes JMP 7638b233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075841419 2 bytes JMP 7638b35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075841431 2 bytes JMP 76409149 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007584144a 2 bytes CALL 76364885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758414dd 2 bytes JMP 76408a42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758414f5 2 bytes JMP 76408c18 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007584150d 2 bytes JMP 76408938 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075841525 2 bytes JMP 76408d02 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007584153d 2 bytes JMP 7637fcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075841555 2 bytes JMP 76386907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007584156d 2 bytes JMP 76409201 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075841585 2 bytes JMP 76408d62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007584159d 2 bytes JMP 764088fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758415b5 2 bytes JMP 7637fd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758415cd 2 bytes JMP 7638b2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758416b2 2 bytes JMP 764090c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758416bd 2 bytes JMP 76408891 C:\Windows\syswow64\KERNEL32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\SysWOW64\ntdll.dll [1160:1228] 000000000008090f Thread C:\Windows\SysWOW64\ntdll.dll [1160:1836] 0000000072558f48 Thread C:\Windows\SysWOW64\ntdll.dll [1160:1036] 0000000072558f48 Thread C:\Windows\SysWOW64\ntdll.dll [1160:1820] 00000000726e26d0 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3348] 0000000072298880 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3352] 0000000072274210 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3396] 000000007228e1e0 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3400] 000000007228be80 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3764] 0000000072c88a40 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3768] 0000000072c88a40 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3772] 0000000072c88a40 Thread C:\Windows\SysWOW64\ntdll.dll [1160:3776] 0000000072c866c0 Thread C:\Windows\SysWOW64\ntdll.dll [1160:2668] 0000000072c88a40 Thread C:\Windows\SysWOW64\ntdll.dll [1160:5504] 0000000072298880 Thread C:\Windows\SysWOW64\ntdll.dll [1160:860] 0000000072c88a40 Thread C:\Windows\SysWOW64\ntdll.dll [1160:376] 0000000072298880 Thread C:\Windows\SysWOW64\ntdll.dll [1160:2432] 0000000072261d90 Thread C:\Windows\SysWOW64\ntdll.dll [1160:5012] 0000000072261bf0 Thread C:\Windows\SysWOW64\ntdll.dll [1160:4320] 0000000073d762ce Thread C:\Windows\SysWOW64\ntdll.dll [2628:2632] 00000000003ceb86 Thread C:\Windows\SysWOW64\ntdll.dll [2628:3280] 00000000734c32fb Thread C:\Windows\SysWOW64\ntdll.dll [2628:4000] 0000000070c552c9 Thread C:\Windows\SysWOW64\ntdll.dll [4800:4804] 0000000000c6439e Thread C:\Windows\SysWOW64\ntdll.dll [4800:4808] 000000006f3e83a0 Thread C:\Windows\SysWOW64\ntdll.dll [4800:4812] 000000006f3b4920 Thread C:\Windows\SysWOW64\ntdll.dll [4800:3960] 000000006f3b4920 Thread C:\Windows\SysWOW64\ntdll.dll [4800:928] 000000006f43ebf0 Thread C:\Windows\SysWOW64\ntdll.dll [4800:2328] 0000000068c778c3 Thread C:\Windows\SysWOW64\ntdll.dll [4800:2840] 000000006f3b4f50 Thread C:\Windows\SysWOW64\ntdll.dll [4800:1864] 000000006f3b4920 Thread C:\Windows\SysWOW64\ntdll.dll [4800:5920] 000000006f3b4920 Thread C:\Windows\SysWOW64\ntdll.dll [4800:5828] 0000000062f65ca0 Thread C:\Windows\SysWOW64\ntdll.dll [4800:5964] 000000006283b980 Thread C:\Windows\SysWOW64\ntdll.dll [4800:5824] 000000006283b980 Thread C:\Windows\SysWOW64\ntdll.dll [4800:5132] 000000006283b980 Thread C:\Windows\SysWOW64\ntdll.dll [4800:1164] 000000006283b980 Thread C:\Windows\SysWOW64\ntdll.dll [4800:5312] 000000006f3b4920 Thread C:\Windows\SysWOW64\ntdll.dll [4800:6076] 000000006f3b4920 ---- EOF - GMER 2.2 ----