GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-21 13:02:45 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 ST3250410AS rev.3.AAF 232,89GB Running: xklxuil8.exe; Driver: D:\Users\Mistrz\AppData\Local\Temp\ugrdrpob.sys ---- User code sections - GMER 2.1 ---- .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077701401 2 bytes JMP 759feb26 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077701419 2 bytes JMP 75a0b513 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077701431 2 bytes JMP 75a88609 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007770144a 2 bytes CALL 759e1dfa D:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777014dd 2 bytes JMP 75a87efe D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777014f5 2 bytes JMP 75a880d8 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007770150d 2 bytes JMP 75a87df4 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077701525 2 bytes JMP 75a881c2 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007770153d 2 bytes JMP 759ff088 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077701555 2 bytes JMP 75a0b885 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007770156d 2 bytes JMP 75a886c1 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077701585 2 bytes JMP 75a88222 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007770159d 2 bytes JMP 75a87db8 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777015b5 2 bytes JMP 759ff121 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777015cd 2 bytes JMP 75a0b29f D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777016b2 2 bytes JMP 75a88584 D:\Windows\syswow64\kernel32.dll .text D:\Windows\system32\PnkBstrA.exe[1508] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777016bd 2 bytes JMP 75a87d4d D:\Windows\syswow64\kernel32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077701401 2 bytes JMP 759feb26 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077701419 2 bytes JMP 75a0b513 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077701431 2 bytes JMP 75a88609 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007770144a 2 bytes CALL 759e1dfa D:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000777014dd 2 bytes JMP 75a87efe D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000777014f5 2 bytes JMP 75a880d8 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007770150d 2 bytes JMP 75a87df4 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077701525 2 bytes JMP 75a881c2 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007770153d 2 bytes JMP 759ff088 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077701555 2 bytes JMP 75a0b885 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007770156d 2 bytes JMP 75a886c1 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077701585 2 bytes JMP 75a88222 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007770159d 2 bytes JMP 75a87db8 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000777015b5 2 bytes JMP 759ff121 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000777015cd 2 bytes JMP 75a0b29f D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000777016b2 2 bytes JMP 75a88584 D:\Windows\syswow64\KERNEL32.dll .text D:\NTKernel\nt32.exe[3336] D:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000777016bd 2 bytes JMP 75a87d4d D:\Windows\syswow64\KERNEL32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject 000000007774f85c 5 bytes JMP 0000000177110000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007774f890 5 bytes JMP 0000000177510000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007774f8c8 5 bytes JMP 0000000177530000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtClose 000000007774f980 5 bytes JMP 0000000177490000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryObject 000000007774f998 5 bytes JMP 0000000176d10000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 000000007774f9b0 5 bytes JMP 00000001774b0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007774f9c8 5 bytes JMP 0000000176f90000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007774f9e0 5 bytes JMP 0000000177030000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007774fa30 5 bytes JMP 0000000176e50000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007774fa48 5 bytes JMP 0000000176e10000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007774fa78 5 bytes JMP 0000000176c90000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007774fae0 5 bytes JMP 00000001770b0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007774fbd8 5 bytes JMP 00000001774d0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007774fbf0 5 bytes JMP 00000001773d0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007774fc20 5 bytes JMP 0000000177390000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007774fcec 5 bytes JMP 0000000177050000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007774fd04 5 bytes JMP 0000000177720000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007774fd38 5 bytes JMP 00000001771d0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007774fd68 5 bytes JMP 0000000177450000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 000000007774fd98 5 bytes JMP 0000000177150000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007774fde4 5 bytes JMP 0000000177370000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007774fdfc 5 bytes JMP 0000000177410000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 000000007774ff2c 2 bytes JMP 0000000177210000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3 000000007774ff2f 2 bytes [AC, FF] .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007774ff44 2 bytes JMP 0000000177470000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3 000000007774ff47 2 bytes [D2, FF] .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 000000007774ff5c 2 bytes JMP 0000000177170000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3 000000007774ff5f 2 bytes [A2, FF] .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQuerySection 000000007774fff0 2 bytes JMP 00000001773b0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQuerySection + 3 000000007774fff3 2 bytes [C6, FF] .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077750054 5 bytes JMP 0000000177700000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects 00000000777500e8 5 bytes JMP 00000001770f0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077750164 5 bytes JMP 0000000176d70000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 00000000777501c8 5 bytes JMP 0000000176c50000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077750984 5 bytes JMP 00000001774f0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 000000007775099c 5 bytes JMP 0000000177090000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000777509e4 5 bytes JMP 0000000177070000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077750abc 5 bytes JMP 00000001770d0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077750b20 5 bytes JMP 0000000177010000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory 0000000077750b54 5 bytes JMP 0000000177430000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077750dac 5 bytes JMP 0000000176ff0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077750dc4 5 bytes JMP 0000000176fd0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077750df4 5 bytes JMP 00000001771b0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077750ef8 5 bytes JMP 0000000177130000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077750f10 1 byte JMP 0000000176fb0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey + 2 0000000077750f12 3 bytes {JMP 0xfffffffffffffff2} .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077750fb8 5 bytes JMP 0000000176f70000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000777512dc 5 bytes JMP 0000000177350000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007775141c 5 bytes JMP 0000000176e30000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000777514c8 5 bytes JMP 0000000176c70000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000777516b8 5 bytes JMP 0000000176d30000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 00000000777516e8 5 bytes JMP 0000000176df0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 0000000077751780 5 bytes JMP 0000000176dd0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077751814 5 bytes JMP 0000000176db0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000777519f8 5 bytes JMP 0000000176d90000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077751b3c 5 bytes JMP 00000001773f0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077751c3c 5 bytes JMP 00000001771f0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077751e10 5 bytes JMP 0000000176d50000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077751e58 5 bytes JMP 0000000177190000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext 000000007776b870 5 bytes JMP 0000000176cf0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007776c0a2 5 bytes JMP 0000000176cd0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077771067 5 bytes JMP 0000000176cb0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000759e102d 5 bytes JMP 0000000175980000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000759e1062 5 bytes JMP 00000001759a0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\kernel32.dll!CreateActCtxW 00000000759ea17a 5 bytes JMP 00000001759c0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\kernel32.dll!WinExec 0000000075a62ec9 5 bytes JMP 0000000175960000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 0000000074fbbbdb 5 bytes JMP 0000000174f10000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 0000000074ff17b4 5 bytes JMP 0000000174d90000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ADVAPI32.dll!DecryptFileW 0000000074ff1803 5 bytes JMP 0000000174d70000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoRegisterClassObject 00000000753511f5 5 bytes JMP 00000001752d0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000075352a75 5 bytes JMP 00000001752b0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007537a2d4 5 bytes JMP 0000000174dd0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000753957fc 1 byte JMP 0000000174e10000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoCreateInstance + 2 00000000753957fe 3 bytes {JMP 0xffffffffffa7a804} .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 000000007539583f 5 bytes JMP 0000000174df0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries 0000000075399973 5 bytes JMP 0000000175290000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\ole32.dll!CoRegisterSurrogate 000000007542031b 5 bytes JMP 0000000174db0000 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000005bd1401 2 bytes JMP 759feb26 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000005bd1419 2 bytes JMP 75a0b513 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000005bd1431 2 bytes JMP 75a88609 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000005bd144a 2 bytes CALL 759e1dfa D:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000005bd14dd 2 bytes JMP 75a87efe D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000005bd14f5 2 bytes JMP 75a880d8 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000005bd150d 2 bytes JMP 75a87df4 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000005bd1525 2 bytes JMP 75a881c2 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000005bd153d 2 bytes JMP 759ff088 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000005bd1555 2 bytes JMP 75a0b885 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000005bd156d 2 bytes JMP 75a886c1 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000005bd1585 2 bytes JMP 75a88222 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000005bd159d 2 bytes JMP 75a87db8 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000005bd15b5 2 bytes JMP 759ff121 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000005bd15cd 2 bytes JMP 75a0b29f D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000005bd16b2 2 bytes JMP 75a88584 D:\Windows\syswow64\kernel32.dll .text D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3672] D:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000005bd16bd 2 bytes JMP 75a87d4d D:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3824] 000000000059ca30 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3828] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3832] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3836] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3840] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3844] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3848] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3852] 000000000059c3c0 Thread D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672:3856] 000000000059c3c0 ---- Processes - GMER 2.1 ---- Process D:\NTKernel\nt32.exe (*** suspicious ***) @ D:\NTKernel\nt32.exe [3336](2014-02-05 15:55:18) 0000000000a40000 Library D:\NTKernel\nt32.exe (*** suspicious ***) @ D:\NTKernel\nt32.exe [3336](2014-02-05 15:55:18) 0000000000400000 Library :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\3672\bxsdk32.dll (*** suspicious ***) @ D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672] 0000000010000000 Library D:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672] 0000000070800000 Library D:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672] 0000000062e80000 Library D:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ D:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3672] 0000000062480000 Library D:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B91CC1DB-CBAE-4D17-A9C6-9B30DF4931D7}\mpengine.dll (*** suspicious ***) @ D:\Windows\System32\svchost.exe [1640] (Microsoft Malware Protection Engine/Microsoft Corporation)(2013-07-19 18:00:57) 000007feec660000 Library D:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B91CC1DB-CBAE-4D17-A9C6-9B30DF4931D7}\offreg.dll (*** suspicious ***) @ D:\Windows\System32\svchost.exe [1640](2014-08-21 10:44:31) 000007feede40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x09 0x6E 0x8B 0xC0 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6A 0x2D 0x21 0xE4 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x98 0xA6 0x8C 0x77 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x43 0x93 0xF6 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA7 0x6D 0xAB 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6A 0x2D 0x21 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x91 0xEF 0xC8 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x43 0x93 0xF6 0x39 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA7 0x6D 0xAB 0x27 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6A 0x2D 0x21 0xE4 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x91 0xEF 0xC8 0x9C ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x43 0x93 0xF6 0x39 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@H:\GRY NA iPHONA\ader\3D Sexvilla 2 + 405 Mod\3D Sexvilla 2 + 405 Mod\Step 1\3D Sexvilla 2.058.002 OxS!\xae.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=1F8BA1B4 Zoo Tycoon 2 \xae Ultimate Collection with save+Extras\Zoo Tycoon 2\Setup.Exe 1 ---- EOF - GMER 2.1 ----