GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-29 12:10:53 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDT721010SLA360 rev.ST6OA3AA 931,51GB Running: q9gf9dxd.exe; Driver: C:\Users\Cichy\AppData\Local\Temp\awddykog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000075741401 2 bytes JMP 7757eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000075741419 2 bytes JMP 7758b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000075741431 2 bytes JMP 77608609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007574144a 2 bytes CALL 77561dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000757414dd 2 bytes JMP 77607efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000757414f5 2 bytes JMP 776080d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007574150d 2 bytes JMP 77607df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075741525 2 bytes JMP 776081c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007574153d 2 bytes JMP 7757f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000075741555 2 bytes JMP 7758b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007574156d 2 bytes JMP 776086c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000075741585 2 bytes JMP 77608222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007574159d 2 bytes JMP 77607db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000757415b5 2 bytes JMP 7757f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000757415cd 2 bytes JMP 7758b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000757416b2 2 bytes JMP 77608584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3952] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000757416bd 2 bytes JMP 77607d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- EOF - GMER 2.1 ----