GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-08 12:59:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD3200AAKS-75VYA0 rev.12.01B02 298,09GB Running: pozenxzy.exe; Driver: C:\Users\Damian\AppData\Local\Temp\awwdrpog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000153f00 7 bytes [80, 9D, F3, FF, 01, A9, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000153f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject 000000007718f8bc 5 bytes JMP 0000000176790000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007718f8f0 5 bytes JMP 0000000176d30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007718f928 5 bytes JMP 0000000176d50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007718f9e0 5 bytes JMP 00000001769f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 000000007718f9f8 5 bytes JMP 0000000176490000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 000000007718fa10 5 bytes JMP 0000000176a10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007718fa28 5 bytes JMP 0000000176610000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007718fa40 5 bytes JMP 00000001766b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007718fa90 5 bytes JMP 00000001765d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007718faa8 5 bytes JMP 0000000176590000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007718fad8 5 bytes JMP 0000000176410000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007718fb40 5 bytes JMP 0000000176730000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007718fc38 5 bytes JMP 0000000176cf0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fc50 5 bytes JMP 0000000176930000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007718fc80 5 bytes JMP 00000001768f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007718fd4c 5 bytes JMP 00000001766d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007718fd64 5 bytes JMP 0000000177160000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007718fd98 5 bytes JMP 0000000176850000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007718fdc8 5 bytes JMP 00000001769b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 000000007718fdf8 5 bytes JMP 00000001767d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007718fe44 5 bytes JMP 00000001768d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007718fe5c 5 bytes JMP 0000000176970000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 000000007718ff8c 2 bytes JMP 0000000176890000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3 000000007718ff8f 2 bytes [70, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007718ffa4 2 bytes JMP 00000001769d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3 000000007718ffa7 2 bytes [84, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 000000007718ffbc 2 bytes JMP 00000001767f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3 000000007718ffbf 2 bytes [66, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection 0000000077190050 5 bytes JMP 0000000176910000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000771900b4 5 bytes JMP 0000000177140000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects 0000000077190148 5 bytes JMP 0000000176770000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000771901c4 5 bytes JMP 00000001764f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 0000000077190228 5 bytes JMP 00000001763d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000771909e4 5 bytes JMP 0000000176d10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000771909fc 5 bytes JMP 0000000176710000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077190a44 5 bytes JMP 00000001766f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077190b1c 5 bytes JMP 0000000176750000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077190b80 5 bytes JMP 0000000176690000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory 0000000077190bb4 5 bytes JMP 0000000176990000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077190e0c 5 bytes JMP 0000000176670000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077190e24 5 bytes JMP 0000000176650000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077190e54 5 bytes JMP 0000000176830000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077190f58 5 bytes JMP 00000001767b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077190f70 5 bytes JMP 0000000176630000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077191018 5 bytes JMP 00000001765f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007719133c 5 bytes JMP 00000001768b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007719147c 5 bytes JMP 00000001765b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077191528 5 bytes JMP 00000001763f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077191718 5 bytes JMP 00000001764b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 0000000077191748 5 bytes JMP 0000000176570000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 00000000771917e0 5 bytes JMP 0000000176550000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077191874 5 bytes JMP 0000000176530000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077191a58 5 bytes JMP 0000000176510000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077191b9c 5 bytes JMP 0000000176950000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077191c9c 5 bytes JMP 0000000176870000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077191e70 5 bytes JMP 00000001764d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077191eb8 5 bytes JMP 0000000176810000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext 00000000771aba2c 5 bytes JMP 0000000176470000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771ac4dd 5 bytes JMP 0000000176450000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000771b1287 5 bytes JMP 0000000176430000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007539103d 5 bytes JMP 00000001750d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075391072 5 bytes JMP 0000000175200000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\kernel32.dll!CreateActCtxW 00000000753991e7 5 bytes JMP 0000000175220000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075412c51 5 bytes JMP 0000000174fa0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 0000000074cdc592 5 bytes JMP 0000000174ba0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 0000000074d127ec 5 bytes JMP 0000000174b80000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ADVAPI32.dll!DecryptFileW 0000000074d1283b 5 bytes JMP 0000000174b60000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076ac21e1 5 bytes JMP 00000001763b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076ae54ad 5 bytes JMP 0000000176310000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076af9d0b 5 bytes JMP 0000000176350000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076af9d4e 5 bytes JMP 0000000176330000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076b3eacf 5 bytes JMP 0000000176390000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries 0000000076b40cc2 5 bytes JMP 0000000176370000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[1488] C:\Windows\syswow64\ole32.dll!CoRegisterSurrogate 0000000076b909bf 5 bytes JMP 00000001762f0000 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007718fcb0 5 bytes JMP 000000010028091c .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fe14 5 bytes JMP 0000000100280048 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007718fea8 5 bytes JMP 00000001002802ee .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077190004 5 bytes JMP 00000001002804b2 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077190038 5 bytes JMP 00000001002809fe .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077190068 5 bytes JMP 0000000100280ae0 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077190084 5 bytes JMP 0000000100020050 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007719079c 5 bytes JMP 000000010028012a .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007719088c 5 bytes JMP 0000000100280758 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000771908a4 5 bytes JMP 0000000100280676 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077190df4 5 bytes JMP 00000001002803d0 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077191920 5 bytes JMP 0000000100280594 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077191be4 5 bytes JMP 000000010028083a .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077191d70 5 bytes JMP 000000010028020c .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074fc524f 7 bytes JMP 0000000100280f52 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074fc53d0 7 bytes JMP 0000000100630210 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074fc5677 1 byte JMP 0000000100630048 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074fc5679 5 bytes {JMP 0xffffffff8b66a9d1} .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074fc589a 7 bytes JMP 0000000100280ca6 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074fc5a1d 7 bytes JMP 00000001006303d8 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074fc5c9b 7 bytes JMP 000000010063012c .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074fc5d87 7 bytes JMP 00000001006302f4 .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074fc7240 7 bytes JMP 0000000100280e6e .text C:\Users\Damian\Downloads\pozenxzy.exe[1564] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075151492 7 bytes JMP 000000010063059e ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2660] 0000000001e3ca30 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2668] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2672] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2648] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2644] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2744] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2736] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2740] 0000000001e3c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488:2724] 0000000001e3c3c0 ---- Processes - GMER 2.1 ---- Library :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\1488\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488] 0000000010000000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488] 0000000070800000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488] 0000000062e80000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [1488] 0000000062480000 ---- EOF - GMER 2.1 ----