GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-12 19:39:56 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 TOSHIBA_MQ01ABD050 rev.AX002J 465,76GB Running: gt5td1bd.exe; Driver: C:\Users\Oli\AppData\Local\Temp\pwldapob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600009ca00 15 bytes {ADD BL, CH; JMP 0x5} .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600009ca10 11 bytes [00, D6, FB, FF, 40, AA, BF, ...] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdb5073e10 7 bytes JMP 00007ffdb2ec0260 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdb5073e20 7 bytes JMP 00007ffdb2ec0298 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdb51239b0 3 bytes JMP 00007ffdb2ec0340 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW + 4 00007ffdb51239b4 3 bytes [FD, CC, CC] .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdb5123ef0 7 bytes JMP 00007ffdb2ec02d0 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdb5123fe0 7 bytes JMP 00007ffdb2ec0308 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdb51506c0 7 bytes JMP 00007ffdb2ec01f0 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdb5150730 7 bytes JMP 00007ffdb2ec0228 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb2f02020 7 bytes JMP 00007ffdb2ec00d8 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb2f024f0 5 bytes JMP 00007ffdb2ec0180 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb2f043d0 5 bytes JMP 00007ffdb2ec0110 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb2f08d10 5 bytes JMP 00007ffdb2ec0148 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb2f7ed00 5 bytes JMP 00007ffdb2ec01b8 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdb5546d80 10 bytes JMP 00007ffdb2ec0458 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdb55555c0 5 bytes JMP 00007ffdb2ec03e8 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdb5555680 9 bytes JMP 00007ffdb2ec0378 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdb5555850 5 bytes JMP 00007ffdb2ec0420 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdb555b080 5 bytes JMP 00007ffdb2ec03b0 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdb4f21500 1 byte JMP 00007ffdb2ec0490 .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdb4f21502 6 bytes {JMP 0xfffffffffdf9ef90} .text C:\WINDOWS\system32\dwm.exe[852] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdb4f21750 8 bytes JMP 00007ffdb2ec04c8 .text C:\Program Files\ESET\ESET Security\ekrn.exe[860] C:\WINDOWS\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffdb50747d0 4 bytes [C3, 00, 00, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdb5073e10 7 bytes JMP 00007ffdb2ec0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdb5073e20 7 bytes JMP 00007ffdb2ec0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdb51239b0 3 bytes JMP 00007ffdb2ec0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW + 4 00007ffdb51239b4 3 bytes [FD, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdb5123ef0 7 bytes JMP 00007ffdb2ec02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdb5123fe0 7 bytes JMP 00007ffdb2ec0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdb51506c0 7 bytes JMP 00007ffdb2ec01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdb5150730 7 bytes JMP 00007ffdb2ec0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb2f02020 7 bytes JMP 00007ffdb2ec00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb2f024f0 5 bytes JMP 00007ffdb2ec0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb2f043d0 5 bytes JMP 00007ffdb2ec0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb2f08d10 5 bytes JMP 00007ffdb2ec0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb2f7ed00 5 bytes JMP 00007ffdb2ec01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffdb380a280 7 bytes JMP 00007ffdb2ec0500 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffdb383caf0 5 bytes JMP 00007ffdb2ec0538 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdb5546d80 10 bytes JMP 00007ffdb2ec0458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdb55555c0 5 bytes JMP 00007ffdb2ec03e8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdb5555680 9 bytes JMP 00007ffdb2ec0378 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdb5555850 5 bytes JMP 00007ffdb2ec0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdb555b080 5 bytes JMP 00007ffdb2ec03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdb4f21500 1 byte JMP 00007ffdb2ec0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdb4f21502 6 bytes {JMP 0xfffffffffdf9ef90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1472] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdb4f21750 8 bytes JMP 00007ffdb2ec04c8 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdb5073e10 7 bytes JMP 00007ffdb2ec0260 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdb5073e20 7 bytes JMP 00007ffdb2ec0298 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdb51239b0 3 bytes JMP 00007ffdb2ec0340 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW + 4 00007ffdb51239b4 3 bytes [FD, CC, CC] .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdb5123ef0 7 bytes JMP 00007ffdb2ec02d0 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdb5123fe0 7 bytes JMP 00007ffdb2ec0308 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdb51506c0 7 bytes JMP 00007ffdb2ec01f0 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdb5150730 7 bytes JMP 00007ffdb2ec0228 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb2f02020 7 bytes JMP 00007ffdb2ec00d8 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb2f024f0 5 bytes JMP 00007ffdb2ec0180 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb2f043d0 5 bytes JMP 00007ffdb2ec0110 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb2f08d10 5 bytes JMP 00007ffdb2ec0148 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb2f7ed00 5 bytes JMP 00007ffdb2ec01b8 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW 00007ffdb5546d80 10 bytes JMP 00007ffdb2ec0458 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesW 00007ffdb55555c0 5 bytes JMP 00007ffdb2ec03e8 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\SYSTEM32\user32.dll!DisplayConfigGetDeviceInfo 00007ffdb5555680 9 bytes JMP 00007ffdb2ec0378 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\SYSTEM32\user32.dll!ChangeDisplaySettingsExW 00007ffdb5555850 5 bytes JMP 00007ffdb2ec0420 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesA 00007ffdb555b080 5 bytes JMP 00007ffdb2ec03b0 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdb4f21500 1 byte JMP 00007ffdb2ec0490 .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdb4f21502 6 bytes {JMP 0xfffffffffdf9ef90} .text C:\WINDOWS\system32\taskhostex.exe[2116] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdb4f21750 8 bytes JMP 00007ffdb2ec04c8 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdb5073e10 7 bytes JMP 00007ffdb2ec0260 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdb5073e20 7 bytes JMP 00007ffdb2ec0298 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdb51239b0 3 bytes JMP 00007ffdb2ec0340 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW + 4 00007ffdb51239b4 3 bytes [FD, CC, CC] .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdb5123ef0 7 bytes JMP 00007ffdb2ec02d0 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdb5123fe0 7 bytes JMP 00007ffdb2ec0308 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdb51506c0 7 bytes JMP 00007ffdb2ec01f0 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdb5150730 7 bytes JMP 00007ffdb2ec0228 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb2f02020 7 bytes JMP 00007ffdb2ec00d8 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb2f024f0 5 bytes JMP 00007ffdb2ec0180 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb2f043d0 5 bytes JMP 00007ffdb2ec0110 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb2f08d10 5 bytes JMP 00007ffdb2ec0148 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb2f7ed00 5 bytes JMP 00007ffdb2ec01b8 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdb5546d80 10 bytes JMP 00007ffdb2ec0458 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdb55555c0 5 bytes JMP 00007ffdb2ec03e8 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdb5555680 9 bytes JMP 00007ffdb2ec0378 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdb5555850 5 bytes JMP 00007ffdb2ec0420 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdb555b080 5 bytes JMP 00007ffdb2ec03b0 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdb4f21500 1 byte JMP 00007ffdb2ec0490 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdb4f21502 6 bytes {JMP 0xfffffffffdf9ef90} .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdb4f21750 8 bytes JMP 00007ffdb2ec04c8 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffdb380a280 7 bytes JMP 00007ffdb2ec0500 .text C:\Program Files\ESET\ESET Security\egui.exe[2136] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffdb383caf0 5 bytes JMP 00007ffdb2ec0538 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdb5073e10 7 bytes JMP 00007ffdb2ec0260 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdb5073e20 7 bytes JMP 00007ffdb2ec0298 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdb51239b0 3 bytes JMP 00007ffdb2ec0340 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW + 4 00007ffdb51239b4 3 bytes [FD, CC, CC] .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdb5123ef0 7 bytes JMP 00007ffdb2ec02d0 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdb5123fe0 7 bytes JMP 00007ffdb2ec0308 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdb51506c0 7 bytes JMP 00007ffdb2ec01f0 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdb5150730 7 bytes JMP 00007ffdb2ec0228 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb2f02020 7 bytes JMP 00007ffdb2ec00d8 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb2f024f0 5 bytes JMP 00007ffdb2ec0180 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb2f043d0 5 bytes JMP 00007ffdb2ec0110 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb2f08d10 5 bytes JMP 00007ffdb2ec0148 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb2f7ed00 5 bytes JMP 00007ffdb2ec01b8 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdb5546d80 10 bytes JMP 00007ffdb2ec0458 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdb55555c0 5 bytes JMP 00007ffdb2ec03e8 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdb5555680 9 bytes JMP 00007ffdb2ec0378 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdb5555850 5 bytes JMP 00007ffdb2ec0420 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdb555b080 5 bytes JMP 00007ffdb2ec03b0 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdb4f21500 1 byte JMP 00007ffdb2ec0490 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdb4f21502 6 bytes {JMP 0xfffffffffdf9ef90} .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdb4f21750 8 bytes JMP 00007ffdb2ec04c8 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffdb380a280 7 bytes JMP 00007ffdb2ec0500 .text C:\Windows\System32\igfxpers.exe[2944] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffdb383caf0 5 bytes JMP 00007ffdb2ec0538 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdb5073e10 7 bytes JMP 00007ffdb2ec0260 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdb5073e20 7 bytes JMP 00007ffdb2ec0298 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdb51239b0 3 bytes JMP 00007ffdb2ec0340 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW + 4 00007ffdb51239b4 3 bytes [FD, CC, CC] .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdb5123ef0 7 bytes JMP 00007ffdb2ec02d0 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdb5123fe0 7 bytes JMP 00007ffdb2ec0308 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdb51506c0 7 bytes JMP 00007ffdb2ec01f0 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdb5150730 7 bytes JMP 00007ffdb2ec0228 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb2f02020 7 bytes JMP 00007ffdb2ec00d8 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb2f024f0 5 bytes JMP 00007ffdb2ec0180 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb2f043d0 5 bytes JMP 00007ffdb2ec0110 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb2f08d10 5 bytes JMP 00007ffdb2ec0148 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb2f7ed00 5 bytes JMP 00007ffdb2ec01b8 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdb4f21500 1 byte JMP 00007ffdb2ec0490 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdb4f21502 6 bytes {JMP 0xfffffffffdf9ef90} .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdb4f21750 8 bytes JMP 00007ffdb2ec04c8 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdb5546d80 10 bytes JMP 00007ffdb2ec0458 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdb55555c0 5 bytes JMP 00007ffdb2ec03e8 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdb5555680 9 bytes JMP 00007ffdb2ec0378 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdb5555850 5 bytes JMP 00007ffdb2ec0420 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdb555b080 5 bytes JMP 00007ffdb2ec03b0 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffdb380a280 7 bytes JMP 00007ffdb2ec0500 .text C:\Windows\System32\StikyNot.exe[2972] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffdb383caf0 5 bytes JMP 00007ffdb2ec0538 .text C:\Users\Oli\Downloads\gt5td1bd.exe[780] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000073c11003 2 bytes [C1, 73] .text C:\Users\Oli\Downloads\gt5td1bd.exe[780] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000073c11016 2 bytes [C1, 73] ---- Devices - GMER 2.2 ---- Device \Driver\storahci \Device\RaidPort0 ffffe000aac132c0 Device \Driver\cdrom \Device\CdRom0 ffffe000aacc72c0 Device \Driver\storahci \Device\00000031 ffffe000aac132c0 Device \Driver\storahci \Device\00000032 ffffe000aac132c0 Device \Driver\storahci \Device\ScsiPort0 ffffe000aac132c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe000aac132c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe000aac132c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000aabb4060] ffffe000aabb4060 Trace 3 CLASSPNP.SYS[fffff80163699170] -> nt!IofCallDriver -> [0xffffe000a99fae50] ffffe000a99fae50 Trace 5 ACPI.sys[fffff8016316dc21] -> nt!IofCallDriver -> \Device\00000031[0xffffe000a99fc410] ffffe000a99fc410 Trace \Driver\storahci[0xffffe000a99887b0] -> IRP_MJ_CREATE -> 0xffffe000aac132c0 ffffe000aac132c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [556:564] fffff960008412d0 Thread C:\WINDOWS\SysWOW64\svchost.exe [3116:2364] 0000000000e08b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [3116:2752] 0000000000e08b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [3116:1260] 0000000000e08b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [3116:3180] 0000000000e08b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [3116:3148] 0000000000e08b33 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x7E 0x47 0xB3 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x89 0xCB 0x96 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 23 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO46EC1_01_07DA_45^879324AE1ADB21FECA6D43361C3B285F@Timestamp 0xA4 0x0C 0x65 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 632 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900001 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1631592717 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 24 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 504129475 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4767 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 4059 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d7e0b3d1-f8e4-448a-8e81-847cef6 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6c71d982d1b2 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{9079febe-693b-4e7b-96d4-557f01e805b1}@LastProbeTime 1494544540 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Cz?, ?maj ?11 ?17, 11:06:25??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1897 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 636 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 23 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83E9D82E-80F2-4AE1-8F6E-B5907E69F380}@LeaseObtainedTime 1494604244 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83E9D82E-80F2-4AE1-8F6E-B5907E69F380}@T1 1494647444 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83E9D82E-80F2-4AE1-8F6E-B5907E69F380}@T2 1494679844 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83E9D82E-80F2-4AE1-8F6E-B5907E69F380}@LeaseTerminatesTime 1494690644 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0xAB 0x58 0xAA 0xB4 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x00 0x3D 0x97 0xB9 ... ---- EOF - GMER 2.2 ----