GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-10 14:19:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-0 SAMSUNG_SP1604N rev.TM100-24 149,05GB Running: g9kc6g96.exe; Driver: C:\Users\Troll\AppData\Local\Temp\pgloipod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000076bf6c3c 5 bytes JMP 00000001004bb9c0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 0000000076c035a4 3 bytes JMP 00000001004bba20 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetSysColorBrush + 4 0000000076c035a8 1 byte [89] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000076c04018 7 bytes JMP 00000001004bb800 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!SetScrollInfo 0000000076c040cf 7 bytes JMP 00000001004bb8b0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000076c04162 5 bytes JMP 00000001004bb980 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000076c04234 3 bytes JMP 00000001004bb840 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetScrollPos + 4 0000000076c04238 1 byte [89] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!SetScrollPos 0000000076c087a5 3 bytes JMP 00000001004bb8f0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!SetScrollPos + 4 0000000076c087a9 1 byte [89] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000076c08d3a 7 bytes JMP 00000001004bb7c0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetScrollRange 0000000076c090c4 3 bytes JMP 00000001004bb870 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!GetScrollRange + 4 0000000076c090c8 1 byte [89] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000076c1d50b 5 bytes JMP 00000001004bb930 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075331465 2 bytes [33, 75] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753314bb 2 bytes [33, 75] .text ... * 2 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1420] C:\Windows\syswow64\USER32.dll!GetMenu + 412 0000000076c051dd 7 bytes JMP 0000000110053ac0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1420] C:\Windows\syswow64\USER32.dll!PeekMessageA + 407 0000000076c0610b 7 bytes JMP 0000000110053c10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1420] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 0000000076c0c6c1 7 bytes JMP 0000000110053bf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1420] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 0000000076c4fc98 7 bytes JMP 0000000110053c60 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1420] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 0000000076c4fcd1 7 bytes JMP 0000000110053d30 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1420] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 0000000076c4fcf5 7 bytes JMP 0000000110053ce0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000713b1a22 2 bytes [3B, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000713b1ad0 2 bytes [3B, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000713b1b08 2 bytes [3B, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000713b1bba 2 bytes [3B, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000713b1bda 2 bytes [3B, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075331465 2 bytes [33, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753314bb 2 bytes [33, 75] .text ... * 2 .text C:\Users\Troll\AppData\Local\GamersFirst\LIVE!\Live.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075331465 2 bytes [33, 75] .text C:\Users\Troll\AppData\Local\GamersFirst\LIVE!\Live.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753314bb 2 bytes [33, 75] .text ... * 2 .text C:\Users\Troll\AppData\Roaming\winlogon.exe[1572] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075331465 2 bytes [33, 75] .text C:\Users\Troll\AppData\Roaming\winlogon.exe[1572] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000753314bb 2 bytes [33, 75] .text ... * 2 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject 000000007767f8bc 5 bytes JMP 0000000176610000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007767f8f0 5 bytes JMP 0000000176bc0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007767f928 5 bytes JMP 0000000177180000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007767f9e0 5 bytes JMP 0000000176b40000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 000000007767f9f8 5 bytes JMP 0000000174e40000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 000000007767fa10 5 bytes JMP 0000000176b60000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007767fa28 5 bytes JMP 0000000174fe0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007767fa40 5 bytes JMP 0000000175360000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007767fa90 5 bytes JMP 0000000174fa0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007767faa8 5 bytes JMP 0000000174f60000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007767fad8 5 bytes JMP 0000000174d40000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007767fb40 5 bytes JMP 0000000176160000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007767fc38 5 bytes JMP 0000000176b80000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007767fc50 5 bytes JMP 0000000176970000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007767fc80 5 bytes JMP 0000000176880000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007767fd4c 5 bytes JMP 0000000176100000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007767fd64 5 bytes JMP 0000000177650000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007767fd98 5 bytes JMP 00000001766d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007767fdc8 5 bytes JMP 0000000176b00000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 000000007767fdf8 5 bytes JMP 0000000176650000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007767fe44 5 bytes JMP 0000000176860000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007767fe5c 5 bytes JMP 00000001769b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 000000007767ff8c 2 bytes JMP 0000000176710000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3 000000007767ff8f 2 bytes [09, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007767ffa4 2 bytes JMP 0000000176b20000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3 000000007767ffa7 2 bytes [4A, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 000000007767ffbc 2 bytes JMP 0000000176670000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3 000000007767ffbf 2 bytes [FF, FE] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection 0000000077680050 5 bytes JMP 00000001768a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776800b4 5 bytes JMP 00000001771a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects 0000000077680148 5 bytes JMP 00000001765f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000776801c4 5 bytes JMP 0000000174ec0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 0000000077680228 5 bytes JMP 0000000174d00000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000776809e4 5 bytes JMP 0000000176ba0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000776809fc 5 bytes JMP 0000000176140000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077680a44 5 bytes JMP 0000000176120000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077680b1c 5 bytes JMP 00000001765d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077680b80 5 bytes JMP 0000000175340000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory 0000000077680bb4 5 bytes JMP 00000001769d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077680e0c 5 bytes JMP 0000000175040000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077680e24 5 bytes JMP 0000000175020000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077680e54 5 bytes JMP 00000001766b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077680f58 5 bytes JMP 0000000176630000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077680f70 5 bytes JMP 0000000175000000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077681018 5 bytes JMP 0000000174fc0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007768133c 5 bytes JMP 0000000176840000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007768147c 5 bytes JMP 0000000174f80000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077681528 5 bytes JMP 0000000174d20000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077681718 5 bytes JMP 0000000174e80000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 0000000077681748 5 bytes JMP 0000000174f40000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 00000000776817e0 5 bytes JMP 0000000174f20000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077681874 5 bytes JMP 0000000174f00000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077681a58 5 bytes JMP 0000000174ee0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077681b9c 5 bytes JMP 0000000176990000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077681c9c 5 bytes JMP 00000001766f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077681e70 5 bytes JMP 0000000174ea0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077681eb8 3 bytes JMP 0000000176690000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile + 4 0000000077681ebc 1 byte [FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext 000000007769ba2c 5 bytes JMP 0000000174e20000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007769c4dd 5 bytes JMP 0000000174d80000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776a1287 5 bytes JMP 0000000174d60000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007619103d 5 bytes JMP 0000000174de0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076191072 5 bytes JMP 0000000174e00000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateActCtxW 000000007619920f 5 bytes JMP 0000000174e60000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076212ff1 5 bytes JMP 0000000174da0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 000000007679c532 5 bytes JMP 0000000174dc0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 00000000767d28f8 5 bytes JMP 0000000174c00000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!DecryptFileW 00000000767d2947 5 bytes JMP 0000000174be0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076f721e1 5 bytes JMP 0000000174ce0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076f954ad 5 bytes JMP 0000000174c40000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fa9d0b 5 bytes JMP 0000000174c80000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fa9d4e 5 bytes JMP 0000000174c60000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076feeacf 5 bytes JMP 0000000174cc0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries 0000000076ff0cc2 5 bytes JMP 0000000174ca0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3256] C:\Windows\syswow64\ole32.dll!CoRegisterSurrogate 00000000770409bf 5 bytes JMP 0000000174c20000 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:2444] 0000000001f5ca30 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:3844] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:1324] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:2696] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:3552] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:3556] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:616] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:3820] 0000000001f5c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256:3384] 0000000001f5c3c0 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\DCService.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCService.exe [1920](2010-05-08 11:48:36) 0000000000400000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [1984] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-05-08 11:48:26) 0000000000400000 Library C:\Users\Troll\AppData\Local\GamersFirst\LIVE!\libcef.dll (*** suspicious ***) @ C:\Users\Troll\AppData\Local\GamersFirst\LIVE!\Live.exe [3004](2012-04-26 22:38:30) 000000006c8e0000 Library C:\Users\Troll\AppData\Local\GamersFirst\LIVE!\icudt.dll (*** suspicious ***) @ C:\Users\Troll\AppData\Local\GamersFirst\LIVE!\Live.exe [3004] (ICU Data DLL/The ICU Project)(2012-04-26 22:38:30) 0000000067240000 Process C:\Users\Troll\AppData\Roaming\winlogon.exe (*** suspicious ***) @ C:\Users\Troll\AppData\Roaming\winlogon.exe [1572] (Scribblenauts Unlimited Setup /WB Games )(2014-06-29 03:09:59) 0000000000c90000 Library C:\Users\Troll\AppData\Roaming\winlogon.exe (*** suspicious ***) @ C:\Users\Troll\AppData\Roaming\winlogon.exe [1572] (Scribblenauts Unlimited Setup /WB Games )(2014-06-29 03:09:59) 0000000000400000 Process C:\Users\Troll\AppData\Roaming\csrss.exe (*** suspicious ***) @ C:\Users\Troll\AppData\Roaming\csrss.exe [3080] (Scribblenauts Unlimited Setup /WB Games )(2014-06-29 03:09:59) 00000000003d0000 Library :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\3256\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256] 0000000010000000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256] 0000000070800000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256] 0000000062e80000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3256] 0000000062480000 ---- Files - GMER 2.1 ---- File C:\Users\Troll\AppData\Local\Temp\etilqs_TCkP1Z9atjpik0a 0 bytes ---- EOF - GMER 2.1 ----