GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-23 12:41:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e SAMSUNG_ rev.1AJ1 465,76GB Running: ykbbv2cu.exe; Driver: C:\Users\123\AppData\Local\Temp\awrdrpog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.1\avp.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000770cfa98 5 bytes JMP 0000000072f92b10 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.1\avp.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770d0028 5 bytes JMP 0000000072f92ad0 .text C:\Users\123\AppData\Roaming\uTorrent\uTorrent.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077081465 2 bytes [08, 77] .text C:\Users\123\AppData\Roaming\uTorrent\uTorrent.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770814bb 2 bytes [08, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2824] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ec1bb2 5 bytes JMP 00000000739d8fe0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2824] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074ec1d92 5 bytes JMP 00000000739d904a .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077081465 2 bytes [08, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770814bb 2 bytes [08, 77] .text ... * 2 .text C:\Users\123\AppData\Roaming\uTorrent\updates\3.4.9_42598\utorrentie.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077081465 2 bytes [08, 77] .text C:\Users\123\AppData\Roaming\uTorrent\updates\3.4.9_42598\utorrentie.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770814bb 2 bytes [08, 77] .text ... * 2 .text C:\Users\123\AppData\Roaming\uTorrent\updates\3.4.9_42598\utorrentie.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077081465 2 bytes [08, 77] .text C:\Users\123\AppData\Roaming\uTorrent\updates\3.4.9_42598\utorrentie.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770814bb 2 bytes [08, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077081465 2 bytes [08, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770814bb 2 bytes [08, 77] .text ... * 2 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076ed1398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076ed143f 8 bytes [A0, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 501 0000000076ed1595 7 bytes [DB, F6, 7E, 00, 00, 00, 00] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076ed191e 8 bytes [80, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076ed1bf8 8 bytes [70, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076ed1d75 8 bytes [60, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076ed1edf 8 bytes [50, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076ed1fc5 8 bytes [40, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076ed27b0 8 bytes [30, DB, F6, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f213e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f21560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f21590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f216b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f21760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f21d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f21fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f22840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000736913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007369146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000736916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000736919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000736919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5540] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073691a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076ed1398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076ed143f 8 bytes [A0, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 501 0000000076ed1595 7 bytes [8B, F5, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076ed191e 8 bytes [80, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076ed1bf8 8 bytes [70, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076ed1d75 8 bytes [60, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076ed1edf 8 bytes [50, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076ed1fc5 8 bytes [40, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076ed27b0 8 bytes [30, 8B, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f213e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f21560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f21590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f216b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f21760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f21d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f21fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f22840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000736913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007369146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000736916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000736919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000736919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3596] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073691a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076ed1398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076ed143f 8 bytes [A0, EB, EC, 7E, 00, 00, 00, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 501 0000000076ed1595 7 bytes {JMP 0xffffffffffffffee} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076ed191e 8 bytes [80, EB, EC, 7E, 00, 00, 00, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076ed1bf8 8 bytes [70, EB, EC, 7E, 00, 00, 00, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076ed1d75 8 bytes [60, EB, EC, 7E, 00, 00, 00, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076ed1edf 8 bytes {PUSH RAX; JMP 0xffffffffffffffef} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076ed1fc5 8 bytes {JMP 0xffffffffffffffef} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076ed27b0 8 bytes [30, EB, EC, 7E, 00, 00, 00, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f213e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f21560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f21590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f216b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f21760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f21d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f21fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f22840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000736913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007369146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000736916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000736919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000736919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\123\Downloads\ykbbv2cu.exe[3676] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073691a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88005309750] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [77080000] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77080000] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\USER32.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\GDI32.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77080000] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [77080010] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77080000] IAT C:\Windows\system32\AUDIODG.EXE[1140] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtClose] [77080010] ---- EOF - GMER 2.2 ----