GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-20 00:05:46 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD1002FAEX-00Y9A0 rev.05.01D05 931,51GB Running: nibdvs4d.exe; Driver: C:\Users\PC\AppData\Local\Temp\uglcraoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000071f717fa 2 bytes CALL 76421199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000071f71860 2 bytes CALL 76421199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000071f71942 2 bytes JMP 76d8c29f C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000071f7194d 2 bytes JMP 76d8418d C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754d1401 2 bytes JMP 7643eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754d1419 2 bytes JMP 7644b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754d1431 2 bytes JMP 764c8609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754d144a 2 bytes CALL 76421dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754d14dd 2 bytes JMP 764c7efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754d14f5 2 bytes JMP 764c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754d150d 2 bytes JMP 764c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754d1525 2 bytes JMP 764c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754d153d 2 bytes JMP 7643f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754d1555 2 bytes JMP 7644b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754d156d 2 bytes JMP 764c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754d1585 2 bytes JMP 764c8222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754d159d 2 bytes JMP 764c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754d15b5 2 bytes JMP 7643f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754d15cd 2 bytes JMP 7644b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754d16b2 2 bytes JMP 764c8584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754d16bd 2 bytes JMP 764c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763057fc 5 bytes JMP 000000011000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007630583f 5 bytes JMP 000000011000a630 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000074ad45a5 5 bytes JMP 000000011000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000074ad4d72 5 bytes JMP 000000011000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000074ad4e60 5 bytes JMP 000000011000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000074ad52f5 5 bytes JMP 000000011000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000074ad5361 5 bytes JMP 000000011000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000074ad8afd 5 bytes JMP 000000011000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000074adc249 5 bytes JMP 000000011000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000074af51a0 5 bytes JMP 000000011000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000074af5217 5 bytes JMP 000000011000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000074af5884 2 bytes JMP 000000011000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInClose + 3 0000000074af5887 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000074af5922 2 bytes JMP 000000011000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader + 3 0000000074af5925 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000074af598f 2 bytes JMP 000000011000af00 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader + 3 0000000074af5992 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000074af5a13 2 bytes JMP 000000011000af40 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer + 3 0000000074af5a16 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000074af5a72 2 bytes JMP 000000011000af80 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInStart + 3 0000000074af5a75 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000074af5aa6 2 bytes JMP 000000011000b000 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInStop + 3 0000000074af5aa9 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000074af5ada 2 bytes JMP 000000011000b060 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInReset + 3 0000000074af5add 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000074af5b1f 2 bytes JMP 000000011000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition + 3 0000000074af5b22 2 bytes [51, 9B] .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006eec7e3d 5 bytes JMP 000000011000a690 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006eefde69 5 bytes JMP 000000011000a770 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006ef0d2c5 5 bytes JMP 000000011000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006ef0d371 5 bytes JMP 000000011000a990 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006ef0d429 5 bytes JMP 000000011000aa80 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754d1401 2 bytes JMP 7643eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754d1419 2 bytes JMP 7644b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754d1431 2 bytes JMP 764c8609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754d144a 2 bytes CALL 76421dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754d14dd 2 bytes JMP 764c7efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754d14f5 2 bytes JMP 764c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754d150d 2 bytes JMP 764c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754d1525 2 bytes JMP 764c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754d153d 2 bytes JMP 7643f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754d1555 2 bytes JMP 7644b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754d156d 2 bytes JMP 764c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754d1585 2 bytes JMP 764c8222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754d159d 2 bytes JMP 764c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754d15b5 2 bytes JMP 7643f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754d15cd 2 bytes JMP 7644b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754d16b2 2 bytes JMP 764c8584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\HsMgr.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754d16bd 2 bytes JMP 764c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutClose 000007fef9e636ac 5 bytes JMP 000007fefc6901f0 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fef9e63770 5 bytes JMP 000007fefc690298 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fef9e638d0 5 bytes JMP 000007fefc6901b8 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fef9e63ca4 5 bytes JMP 000007fefc690260 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fef9e63d40 5 bytes JMP 000007fefc690228 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInOpen 000007fef9e67fe0 7 bytes JMP 000007fefc690378 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutReset 000007fef9e6a38c 5 bytes JMP 000007fefc6902d0 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fef9e849f0 5 bytes JMP 000007fefc690308 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fef9e84ab0 5 bytes JMP 000007fefc690340 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInClose 000007fef9e852e0 5 bytes JMP 000007fefc6903b0 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fef9e853c0 5 bytes JMP 000007fefc690490 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fef9e85454 5 bytes JMP 000007fefc6904c8 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fef9e85514 5 bytes JMP 000007fefc690500 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInStart 000007fef9e855a4 6 bytes JMP 000007fefc6903e8 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInStop 000007fef9e855e4 6 bytes JMP 000007fefc690420 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInReset 000007fef9e85624 5 bytes JMP 000007fefc690458 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fef9e8567c 5 bytes JMP 000007fefc690538 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007fef60c6944 7 bytes JMP 000007fefc690180 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007fef60e5a84 7 bytes JMP 000007fefc690148 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007fef60e5b90 7 bytes JMP 000007fefc690570 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007fef60e5c94 7 bytes JMP 000007fefc6905a8 .text C:\Windows\system\HsMgr64.exe[2952] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007fef60e5da8 5 bytes JMP 000007fefc6905e0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763057fc 5 bytes JMP 0000000104f3a4d0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007630583f 5 bytes JMP 0000000104f3a630 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754d1401 2 bytes JMP 7643eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754d1419 2 bytes JMP 7644b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754d1431 2 bytes JMP 764c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754d144a 2 bytes CALL 76421dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754d14dd 2 bytes JMP 764c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754d14f5 2 bytes JMP 764c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754d150d 2 bytes JMP 764c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754d1525 2 bytes JMP 764c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754d153d 2 bytes JMP 7643f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754d1555 2 bytes JMP 7644b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754d156d 2 bytes JMP 764c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754d1585 2 bytes JMP 764c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754d159d 2 bytes JMP 764c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754d15b5 2 bytes JMP 7643f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754d15cd 2 bytes JMP 7644b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754d16b2 2 bytes JMP 764c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754d16bd 2 bytes JMP 764c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000074ad45a5 5 bytes JMP 0000000104f3ab40 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000074ad4d72 5 bytes JMP 0000000104f3abb0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000074ad4e60 5 bytes JMP 0000000104f3ac90 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000074ad52f5 5 bytes JMP 0000000104f3ac50 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000074ad5361 5 bytes JMP 0000000104f3ac10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000074ad8afd 5 bytes JMP 0000000104f3ad10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000074adc249 5 bytes JMP 0000000104f3abe0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000074af51a0 5 bytes JMP 0000000104f3acd0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000074af5217 5 bytes JMP 0000000104f3acf0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000074af5884 2 bytes JMP 0000000104f3ae40 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInClose + 3 0000000074af5887 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000074af5922 2 bytes JMP 0000000104f3aec0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader + 3 0000000074af5925 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000074af598f 2 bytes JMP 0000000104f3af00 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader + 3 0000000074af5992 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000074af5a13 2 bytes JMP 0000000104f3af40 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer + 3 0000000074af5a16 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000074af5a72 2 bytes JMP 0000000104f3af80 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInStart + 3 0000000074af5a75 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000074af5aa6 2 bytes JMP 0000000104f3b000 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInStop + 3 0000000074af5aa9 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000074af5ada 2 bytes JMP 0000000104f3b060 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInReset + 3 0000000074af5add 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000074af5b1f 2 bytes JMP 0000000104f3b0d0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition + 3 0000000074af5b22 2 bytes [44, 90] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006eec7e3d 5 bytes JMP 0000000104f3a690 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006eefde69 5 bytes JMP 0000000104f3a770 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006ef0d2c5 5 bytes JMP 0000000104f3a8a0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006ef0d371 5 bytes JMP 0000000104f3a990 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2892] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006ef0d429 5 bytes JMP 0000000104f3aa80 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4004] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763057fc 5 bytes JMP 000000011000a4d0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4004] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007630583f 5 bytes JMP 000000011000a630 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763057fc 5 bytes JMP 000000011000a4d0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007630583f 5 bytes JMP 000000011000a630 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000074ad45a5 5 bytes JMP 000000011000ab40 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000074ad4d72 5 bytes JMP 000000011000abb0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000074ad4e60 5 bytes JMP 000000011000ac90 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000074ad52f5 5 bytes JMP 000000011000ac50 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000074ad5361 5 bytes JMP 000000011000ac10 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000074ad8afd 5 bytes JMP 000000011000ad10 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000074adc249 5 bytes JMP 000000011000abe0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000074af51a0 5 bytes JMP 000000011000acd0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000074af5217 5 bytes JMP 000000011000acf0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000074af5884 2 bytes JMP 000000011000ae40 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInClose + 3 0000000074af5887 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000074af5922 2 bytes JMP 000000011000aec0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader + 3 0000000074af5925 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000074af598f 2 bytes JMP 000000011000af00 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader + 3 0000000074af5992 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000074af5a13 2 bytes JMP 000000011000af40 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer + 3 0000000074af5a16 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000074af5a72 2 bytes JMP 000000011000af80 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInStart + 3 0000000074af5a75 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000074af5aa6 2 bytes JMP 000000011000b000 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInStop + 3 0000000074af5aa9 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000074af5ada 2 bytes JMP 000000011000b060 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInReset + 3 0000000074af5add 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000074af5b1f 2 bytes JMP 000000011000b0d0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition + 3 0000000074af5b22 2 bytes [51, 9B] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006eec7e3d 5 bytes JMP 000000011000a690 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006eefde69 5 bytes JMP 000000011000a770 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006ef0d2c5 5 bytes JMP 000000011000a8a0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006ef0d371 5 bytes JMP 000000011000a990 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006ef0d429 5 bytes JMP 000000011000aa80 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754d1401 2 bytes JMP 7643eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754d1419 2 bytes JMP 7644b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754d1431 2 bytes JMP 764c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754d144a 2 bytes CALL 76421dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754d14dd 2 bytes JMP 764c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754d14f5 2 bytes JMP 764c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754d150d 2 bytes JMP 764c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754d1525 2 bytes JMP 764c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754d153d 2 bytes JMP 7643f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754d1555 2 bytes JMP 7644b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754d156d 2 bytes JMP 764c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754d1585 2 bytes JMP 764c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754d159d 2 bytes JMP 764c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754d15b5 2 bytes JMP 7643f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754d15cd 2 bytes JMP 7644b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754d16b2 2 bytes JMP 764c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754d16bd 2 bytes JMP 764c7d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Library C:\Users\PC\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (*** suspicious ***) @ C:\Windows\explorer.exe [3084] (Dropbox Shell Extension/Dropbox, Inc.)(2013-09-11 02:09:56) 000007fefae80000 Library C:\Users\PC\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (*** suspicious ***) @ C:\Program Files (x86)\RocketDock\RocketDock.exe [2892] (Dropbox Shell Extension/Dropbox, Inc.)(2013-09-11 02:09:56) 0000000072dc0000 ---- EOF - GMER 2.1 ----