GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-13 00:47:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST1000DM003-9YN162 rev.CC4C 931,51GB Running: gd6hr0ii.exe; Driver: C:\Users\ARTURM~1\AppData\Local\Temp\fxldrpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e3e00 7 bytes [00, 96, F3, FF, 01, A1, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e3e08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d01465 2 bytes [D0, 77] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d014bb 2 bytes [D0, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d01465 2 bytes [D0, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d014bb 2 bytes [D0, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071c01a22 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071c01ad0 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071c01b08 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071c01bba 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071c01bda 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d01465 2 bytes [D0, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d014bb 2 bytes [D0, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071c01a22 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071c01ad0 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071c01b08 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071c01bba 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071c01bda 2 bytes [C0, 71] .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077d01465 2 bytes [D0, 77] .text C:\Windows\SysWOW64\PnkBstrB.exe[2552] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000077d014bb 2 bytes [D0, 77] .text ... * 2 .text C:\ProgramData\NTKernel\nt32.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d01465 2 bytes [D0, 77] .text C:\ProgramData\NTKernel\nt32.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d014bb 2 bytes [D0, 77] .text ... * 2 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject 0000000077d4f8bc 5 bytes JMP 00000001771d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 0000000077d4f8f0 5 bytes JMP 0000000177770000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077d4f928 5 bytes JMP 0000000177790000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4f9e0 5 bytes JMP 00000001776f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077d4f9f8 5 bytes JMP 0000000176c50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 0000000077d4fa10 5 bytes JMP 0000000177710000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077d4fa28 5 bytes JMP 0000000176ee0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077d4fa40 5 bytes JMP 0000000177020000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077d4fa90 5 bytes JMP 0000000176e90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077d4faa8 5 bytes JMP 0000000176e50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d4fad8 5 bytes JMP 0000000176bd0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077d4fb40 5 bytes JMP 0000000177170000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077d4fc38 5 bytes JMP 0000000177730000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d4fc50 5 bytes JMP 0000000177630000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077d4fc80 5 bytes JMP 00000001775f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077d4fd4c 5 bytes JMP 0000000177110000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fd64 5 bytes JMP 0000000177d20000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077d4fd98 5 bytes JMP 0000000177440000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fdc8 5 bytes JMP 00000001776b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 0000000077d4fdf8 5 bytes JMP 0000000177210000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077d4fe44 5 bytes JMP 00000001775d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077d4fe5c 5 bytes JMP 0000000177670000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 0000000077d4ff8c 2 bytes JMP 0000000177590000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3 0000000077d4ff8f 2 bytes [84, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4ffa4 2 bytes JMP 00000001776d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3 0000000077d4ffa7 2 bytes [98, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 0000000077d4ffbc 2 bytes JMP 00000001773e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3 0000000077d4ffbf 2 bytes [69, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection 0000000077d50050 5 bytes JMP 0000000177610000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d500b4 5 bytes JMP 0000000177d00000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects 0000000077d50148 5 bytes JMP 00000001771b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077d501c4 5 bytes JMP 0000000176cb0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 0000000077d50228 5 bytes JMP 0000000176b90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077d509e4 5 bytes JMP 0000000177750000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077d509fc 5 bytes JMP 0000000177150000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077d50a44 5 bytes JMP 0000000177130000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077d50b1c 5 bytes JMP 0000000177190000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077d50b80 5 bytes JMP 0000000177000000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory 0000000077d50bb4 5 bytes JMP 0000000177690000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077d50e0c 5 bytes JMP 0000000176fe0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077d50e24 5 bytes JMP 0000000176fc0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077d50e54 5 bytes JMP 0000000177420000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077d50f58 5 bytes JMP 00000001771f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077d50f70 5 bytes JMP 0000000176fa0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077d51018 5 bytes JMP 0000000176ec0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077d5133c 5 bytes JMP 00000001775b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077d5147c 5 bytes JMP 0000000176e70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077d51528 5 bytes JMP 0000000176bb0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077d51718 5 bytes JMP 0000000176c70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 0000000077d51748 5 bytes JMP 0000000176e30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 0000000077d517e0 5 bytes JMP 0000000176d10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077d51874 5 bytes JMP 0000000176cf0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077d51a58 5 bytes JMP 0000000176cd0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077d51b9c 5 bytes JMP 0000000177650000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077d51c9c 5 bytes JMP 0000000177570000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077d51e70 5 bytes JMP 0000000176c90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077d51eb8 5 bytes JMP 0000000177400000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext 0000000077d6ba2c 5 bytes JMP 0000000176c30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 0000000176c10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 0000000176bf0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075f7103d 5 bytes JMP 0000000175f10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075f71072 5 bytes JMP 0000000175f30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\kernel32.dll!CreateActCtxW 0000000075f791e7 5 bytes JMP 0000000175f50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075ff2c51 5 bytes JMP 0000000175ef0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 000000007598c532 5 bytes JMP 0000000175970000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 00000000759c28f8 5 bytes JMP 0000000175950000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ADVAPI32.dll!DecryptFileW 00000000759c2947 5 bytes JMP 0000000175930000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 00000000772421e1 5 bytes JMP 0000000176b70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000772654ad 5 bytes JMP 0000000176ad0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077279d0b 5 bytes JMP 0000000176b10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077279d4e 5 bytes JMP 0000000176af0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 00000000772beacf 5 bytes JMP 0000000176b50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries 00000000772c0cc2 5 bytes JMP 0000000176b30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\ole32.dll!CoRegisterSurrogate 00000000773109bf 5 bytes JMP 0000000176ab0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 18 0000000005aa1402 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 18 0000000005aa141a 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 18 0000000005aa1432 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 43 0000000005aa144b 1 byte [05] .text ... * 9 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 18 0000000005aa14de 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 18 0000000005aa14f6 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 18 0000000005aa150e 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 18 0000000005aa1526 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 18 0000000005aa153e 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 18 0000000005aa1556 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 18 0000000005aa156e 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 18 0000000005aa1586 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 18 0000000005aa159e 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 18 0000000005aa15b6 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 18 0000000005aa15ce 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 21 0000000005aa16b3 1 byte [05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 32 0000000005aa16be 1 byte [05] ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4044] 000000000032ca30 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4048] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4052] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4056] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4060] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4064] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4068] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4072] 000000000032c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940:4076] 000000000032c3c0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4184:4628] 000007fefbd82a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4184:4940] 000007fef6965124 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\NTKernel\nt32.exe (*** suspicious ***) @ C:\ProgramData\NTKernel\nt32.exe [3328](2014-02-09 20:32:34) 0000000001030000 Library C:\ProgramData\NTKernel\nt32.exe (*** suspicious ***) @ C:\ProgramData\NTKernel\nt32.exe [3328](2014-02-09 20:32:34) 0000000000400000 Library :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\3940\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940] 0000000010000000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940] 0000000070800000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940] 0000000062e80000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3940] 0000000062480000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files (x86)\Battlefield 3\x2122\__Installer\vc\vc2008sp1\redist\vcredist_x64.exe 1 ---- EOF - GMER 2.1 ----