GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-01 20:37:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0001SDM1 465,76GB Running: yugbsd4m.exe; Driver: C:\Users\Jurek\AppData\Local\Temp\awddykog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076971401 2 bytes JMP 7716b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076971419 2 bytes JMP 7716b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076971431 2 bytes JMP 771e8f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007697144a 2 bytes CALL 77144885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769714dd 2 bytes JMP 771e8802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769714f5 2 bytes JMP 771e89d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007697150d 2 bytes JMP 771e86f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076971525 2 bytes JMP 771e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007697153d 2 bytes JMP 7715fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076971555 2 bytes JMP 771668bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007697156d 2 bytes JMP 771e8fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076971585 2 bytes JMP 771e8b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007697159d 2 bytes JMP 771e86bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769715b5 2 bytes JMP 7715fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769715cd 2 bytes JMP 7716b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769716b2 2 bytes JMP 771e8e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe[808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769716bd 2 bytes JMP 771e8651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076971401 2 bytes JMP 7716b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076971419 2 bytes JMP 7716b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076971431 2 bytes JMP 771e8f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007697144a 2 bytes CALL 77144885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769714dd 2 bytes JMP 771e8802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769714f5 2 bytes JMP 771e89d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007697150d 2 bytes JMP 771e86f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076971525 2 bytes JMP 771e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007697153d 2 bytes JMP 7715fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076971555 2 bytes JMP 771668bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007697156d 2 bytes JMP 771e8fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076971585 2 bytes JMP 771e8b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007697159d 2 bytes JMP 771e86bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769715b5 2 bytes JMP 7715fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769715cd 2 bytes JMP 7716b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769716b2 2 bytes JMP 771e8e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769716bd 2 bytes JMP 771e8651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076971401 2 bytes JMP 7716b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076971419 2 bytes JMP 7716b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076971431 2 bytes JMP 771e8f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007697144a 2 bytes CALL 77144885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769714dd 2 bytes JMP 771e8802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769714f5 2 bytes JMP 771e89d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007697150d 2 bytes JMP 771e86f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076971525 2 bytes JMP 771e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007697153d 2 bytes JMP 7715fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076971555 2 bytes JMP 771668bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007697156d 2 bytes JMP 771e8fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076971585 2 bytes JMP 771e8b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007697159d 2 bytes JMP 771e86bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769715b5 2 bytes JMP 7715fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769715cd 2 bytes JMP 7716b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769716b2 2 bytes JMP 771e8e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Rising\RSD\popwndexe.exe[2448] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769716bd 2 bytes JMP 771e8651 C:\Windows\syswow64\kernel32.dll ---- EOF - GMER 2.2 ----