GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-14 23:41:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e ATA_____ rev.3E01 298,09GB Running: 10vq4h2d.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kwrdykog.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075169d0b 5 bytes JMP 000000011000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075169d4e 5 bytes JMP 000000011000a630 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007140451e 5 bytes JMP 000000011000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000071404b6d 5 bytes JMP 000000011000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000071404bf2 5 bytes JMP 000000011000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000071404f0f 5 bytes JMP 000000011000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000071404f7b 5 bytes JMP 000000011000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000071409054 5 bytes JMP 000000011000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007140adf9 5 bytes JMP 000000011000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000714252e8 5 bytes JMP 000000011000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007142535f 5 bytes JMP 000000011000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000714259cc 5 bytes JMP 000000011000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000071425a6a 5 bytes JMP 000000011000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000071425ad7 5 bytes JMP 000000011000af00 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000071425b5b 5 bytes JMP 000000011000af40 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000071425bba 5 bytes JMP 000000011000af80 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000071425bee 5 bytes JMP 000000011000b000 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000071425c22 5 bytes JMP 000000011000b060 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000071425c67 5 bytes JMP 000000011000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 00000000710a7e3d 5 bytes JMP 000000011000a690 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 00000000710dde69 5 bytes JMP 000000011000a770 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 00000000710ed2c5 5 bytes JMP 000000011000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 00000000710ed371 5 bytes JMP 000000011000a990 .text C:\Windows\SysWOW64\HsMgr.exe[3048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 00000000710ed429 5 bytes JMP 000000011000aa80 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007fefe23de90 5 bytes JMP 000007fffe0e0110 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe257490 11 bytes JMP 000007fffe0e00d8 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutClose 000007fef87636ac 5 bytes JMP 000007fefe0e01f0 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fef8763770 5 bytes JMP 000007fefe0e0298 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fef87638d0 5 bytes JMP 000007fefe0e01b8 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fef8763ca4 5 bytes JMP 000007fefe0e0260 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fef8763d40 5 bytes JMP 000007fefe0e0228 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInOpen 000007fef8767fe0 7 bytes JMP 000007fefe0e0378 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef876a38c 5 bytes JMP 000007fefe0e02d0 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fef87849f0 5 bytes JMP 000007fefe0e0308 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fef8784ab0 5 bytes JMP 000007fefe0e0340 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInClose 000007fef87852e0 5 bytes JMP 000007fefe0e03b0 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fef87853c0 5 bytes JMP 000007fefe0e0490 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fef8785454 5 bytes JMP 000007fefe0e04c8 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fef8785514 5 bytes JMP 000007fefe0e0500 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInStart 000007fef87855a4 6 bytes JMP 000007fefe0e03e8 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInStop 000007fef87855e4 6 bytes JMP 000007fefe0e0420 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInReset 000007fef8785624 5 bytes JMP 000007fefe0e0458 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fef878567c 5 bytes JMP 000007fefe0e0538 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007fefa846944 7 bytes JMP 000007fefe0e0180 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007fefa865a84 7 bytes JMP 000007fefe0e0148 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007fefa865b90 7 bytes JMP 000007fefe0e0570 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007fefa865c94 7 bytes JMP 000007fefe0e05a8 .text C:\Windows\system\HsMgr64.exe[1908] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007fefa865da8 5 bytes JMP 000007fefe0e05e0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007140451e 5 bytes JMP 000000011000ab40 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000071404b6d 5 bytes JMP 000000011000abb0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000071404bf2 5 bytes JMP 000000011000ac90 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000071404f0f 5 bytes JMP 000000011000ac50 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000071404f7b 5 bytes JMP 000000011000ac10 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000071409054 5 bytes JMP 000000011000ad10 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007140adf9 5 bytes JMP 000000011000abe0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000714252e8 5 bytes JMP 000000011000acd0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007142535f 5 bytes JMP 000000011000acf0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000714259cc 5 bytes JMP 000000011000ae40 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000071425a6a 5 bytes JMP 000000011000aec0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000071425ad7 5 bytes JMP 000000011000af00 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000071425b5b 5 bytes JMP 000000011000af40 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000071425bba 5 bytes JMP 000000011000af80 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000071425bee 5 bytes JMP 000000011000b000 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000071425c22 5 bytes JMP 000000011000b060 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000071425c67 5 bytes JMP 000000011000b0d0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 00000000710a7e3d 5 bytes JMP 000000011000a690 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 00000000710dde69 5 bytes JMP 000000011000a770 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 00000000710ed2c5 5 bytes JMP 000000011000a8a0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 00000000710ed371 5 bytes JMP 000000011000a990 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 00000000710ed429 5 bytes JMP 000000011000aa80 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075169d0b 5 bytes JMP 000000011000a4d0 .text D:\Desktop\10vq4h2d.exe[3284] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075169d4e 5 bytes JMP 000000011000a630 ---- Threads - GMER 2.0 ---- Thread C:\Program Files (x86)\Common Files\BinarySense\hldasvc.exe [2044:2072] 0000000000384270 ---- EOF - GMER 2.0 ----