GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-13 17:55:27 Windows 6.1.7600 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-3 SAMSUNG_ rev.CP10 298,09GB Running: kmndvkkx.exe; Driver: C:\Users\Daras\AppData\Local\Temp\kwddikog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771ac910 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771bfc90 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771d1af0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000771df950 1 byte JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW + 2 00000000771df952 3 bytes {JMP 0xfffffffff8e107f8} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077209c30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077219590 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077219700 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007723a330 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0631a0 7 bytes JMP 000007fffd0500d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd069ac0 5 bytes JMP 000007fffd050180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd06a5c0 6 bytes JMP 000007fffd050148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd071b70 5 bytes JMP 000007fffd050110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe7d83e0 8 bytes JMP 000007fffd0501f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe7dbef0 8 bytes JMP 000007fffd0501b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd67b930 7 bytes JMP 000007fffd050260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1624] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6987b0 11 bytes JMP 000007fffd050228 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0631a0 7 bytes JMP 000007fffd0500d8 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd069ac0 5 bytes JMP 000007fffd050180 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd06a5c0 6 bytes JMP 000007fffd050148 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd071b70 5 bytes JMP 000007fffd050110 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe7d83e0 8 bytes JMP 000007fffd0501f0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe7dbef0 8 bytes JMP 000007fffd0501b8 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef9214980 7 bytes JMP 000007fff92000d8 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef9239af4 7 bytes JMP 000007fff9200110 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771ac910 7 bytes JMP 000000016fff0260 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771bfc90 5 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771d1af0 5 bytes JMP 000000016fff01f0 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000771df950 1 byte JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW + 2 00000000771df952 3 bytes {JMP 0xfffffffff8e107f8} .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077209c30 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077219590 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077219700 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007723a330 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0631a0 7 bytes JMP 000007fffd0500d8 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd069ac0 5 bytes JMP 000007fffd050180 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd06a5c0 6 bytes JMP 000007fffd050148 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd071b70 5 bytes JMP 000007fffd050110 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe7d83e0 8 bytes JMP 000007fffd0501f0 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe7dbef0 8 bytes JMP 000007fffd0501b8 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd67b930 7 bytes JMP 000007fffd050260 .text C:\Windows\System32\igfxpers.exe[3876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6987b0 11 bytes JMP 000007fffd050228 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076712182 1 byte JMP 00000001721a16b3 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 2 0000000076712184 5 bytes {JMP 0xfffffffffba8f531} .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 000000007671c74f 7 bytes JMP 00000001721a11cc .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007672ddc2 7 bytes JMP 00000001721a1262 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007672eb2e 5 bytes JMP 00000001721a15c8 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 000000007672f197 7 bytes JMP 00000001721a12a8 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767b864c 7 bytes JMP 00000001721a1357 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000767b86d1 5 bytes JMP 00000001721a16f4 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000767b8a27 5 bytes JMP 00000001721a101e .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076951d1b 5 bytes JMP 00000001721a11e5 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076951dc9 5 bytes JMP 00000001721a1019 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076952aa4 5 bytes JMP 00000001721a1573 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076952d0a 5 bytes JMP 00000001721a128f .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000764e8b9a 5 bytes JMP 00000001721a1046 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000764f4c48 5 bytes JMP 00000001721a10c8 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000764f6bdc 5 bytes JMP 00000001721a1433 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076547bec 1 byte JMP 00000001721a15f0 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[4076] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo + 2 0000000076547bee 3 bytes {JMP 0xfffffffffbc59a04} .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076712182 1 byte JMP 00000001721a16b3 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 2 0000000076712184 5 bytes {JMP 0xfffffffffba8f531} .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 000000007671c74f 7 bytes JMP 00000001721a11cc .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007672ddc2 7 bytes JMP 00000001721a1262 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007672eb2e 5 bytes JMP 00000001721a15c8 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 000000007672f197 7 bytes JMP 00000001721a12a8 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767b864c 7 bytes JMP 00000001721a1357 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000767b86d1 5 bytes JMP 00000001721a16f4 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000767b8a27 5 bytes JMP 00000001721a101e .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076951d1b 5 bytes JMP 00000001721a11e5 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076951dc9 5 bytes JMP 00000001721a1019 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076952aa4 5 bytes JMP 00000001721a1573 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076952d0a 5 bytes JMP 00000001721a128f .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000764e8b9a 5 bytes JMP 00000001721a1046 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000764f4c48 5 bytes JMP 00000001721a10c8 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000764f6bdc 5 bytes JMP 00000001721a1433 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076547bec 1 byte JMP 00000001721a15f0 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo + 2 0000000076547bee 3 bytes {JMP 0xfffffffffbc59a04} .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000768de84e 5 bytes JMP 00000001721a11a9 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000768de86e 5 bytes JMP 00000001721a15e1 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076175a0b 5 bytes JMP 00000001721a1618 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000761b590c 5 bytes JMP 00000001721a123f .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075051465 2 bytes [05, 75] .text C:\Windows\SysWOW64\Ctxfihlp.exe[2884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750514bb 2 bytes [05, 75] .text ... * 2 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076712182 1 byte JMP 00000001721a16b3 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 2 0000000076712184 5 bytes {JMP 0xfffffffffba8f531} .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 000000007671c74f 7 bytes JMP 00000001721a11cc .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007672ddc2 7 bytes JMP 00000001721a1262 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007672eb2e 5 bytes JMP 00000001721a15c8 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 000000007672f197 7 bytes JMP 00000001721a12a8 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767b864c 7 bytes JMP 00000001721a1357 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000767b86d1 5 bytes JMP 00000001721a16f4 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000767b8a27 5 bytes JMP 00000001721a101e .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076951d1b 5 bytes JMP 00000001721a11e5 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076951dc9 5 bytes JMP 00000001721a1019 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076952aa4 5 bytes JMP 00000001721a1573 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076952d0a 5 bytes JMP 00000001721a128f .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000764e8b9a 5 bytes JMP 00000001721a1046 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000764f4c48 5 bytes JMP 00000001721a10c8 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000764f6bdc 5 bytes JMP 00000001721a1433 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076547bec 1 byte JMP 00000001721a15f0 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo + 2 0000000076547bee 3 bytes {JMP 0xfffffffffbc59a04} .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000768de84e 5 bytes JMP 00000001721a11a9 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000768de86e 5 bytes JMP 00000001721a15e1 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076175a0b 5 bytes JMP 00000001721a1618 .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000761b590c 5 bytes JMP 00000001721a123f .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075051465 2 bytes [05, 75] .text C:\Windows\SysWOW64\CTXFISPI.EXE[1328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750514bb 2 bytes [05, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075051465 2 bytes [05, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750514bb 2 bytes [05, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000076712182 1 byte JMP 00000001721a16b3 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW + 2 0000000076712184 5 bytes {JMP 0xfffffffffba8f531} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 000000007671c74f 7 bytes JMP 00000001721a11cc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 000000007672ddc2 7 bytes JMP 00000001721a1262 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 000000007672eb2e 5 bytes JMP 00000001721a15c8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 000000007672f197 7 bytes JMP 00000001721a12a8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000767b864c 7 bytes JMP 00000001721a1357 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000767b86d1 5 bytes JMP 00000001721a16f4 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000767b8a27 5 bytes JMP 00000001721a101e .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076951d1b 5 bytes JMP 00000001721a11e5 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076951dc9 5 bytes JMP 00000001721a1019 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076952aa4 5 bytes JMP 00000001721a1573 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076952d0a 5 bytes JMP 00000001721a128f .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000764e8b9a 5 bytes JMP 00000001721a1046 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000764f4c48 5 bytes JMP 00000001721a10c8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000764f6bdc 5 bytes JMP 00000001721a1433 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076547bec 1 byte JMP 00000001721a15f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo + 2 0000000076547bee 3 bytes {JMP 0xfffffffffbc59a04} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000768de84e 5 bytes JMP 00000001721a11a9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000768de86e 5 bytes JMP 00000001721a15e1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076175a0b 5 bytes JMP 00000001721a1618 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4724] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000761b590c 5 bytes JMP 00000001721a123f .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076712182 1 byte JMP 00000001721a16b3 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 2 0000000076712184 5 bytes {JMP 0xfffffffffba8f531} .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 000000007671c74f 7 bytes JMP 00000001721a11cc .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007672ddc2 7 bytes JMP 00000001721a1262 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007672eb2e 5 bytes JMP 00000001721a15c8 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 000000007672f197 7 bytes JMP 00000001721a12a8 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767b864c 7 bytes JMP 00000001721a1357 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000767b86d1 5 bytes JMP 00000001721a16f4 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000767b8a27 5 bytes JMP 00000001721a101e .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076951d1b 5 bytes JMP 00000001721a11e5 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076951dc9 5 bytes JMP 00000001721a1019 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076952aa4 5 bytes JMP 00000001721a1573 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076952d0a 5 bytes JMP 00000001721a128f .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000764e8b9a 5 bytes JMP 00000001721a1046 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000764f4c48 5 bytes JMP 00000001721a10c8 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000764f6bdc 5 bytes JMP 00000001721a1433 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076547bec 1 byte JMP 00000001721a15f0 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo + 2 0000000076547bee 3 bytes {JMP 0xfffffffffbc59a04} .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000768de84e 5 bytes JMP 00000001721a11a9 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000768de86e 5 bytes JMP 00000001721a15e1 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076175a0b 5 bytes JMP 00000001721a1618 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000761b590c 5 bytes JMP 00000001721a123f .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075051465 2 bytes [05, 75] .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750514bb 2 bytes [05, 75] .text ... * 2 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076712182 1 byte JMP 00000001721a16b3 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 2 0000000076712184 5 bytes {JMP 0xfffffffffba8f531} .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 000000007671c74f 7 bytes JMP 00000001721a11cc .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007672ddc2 7 bytes JMP 00000001721a1262 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007672eb2e 5 bytes JMP 00000001721a15c8 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 000000007672f197 7 bytes JMP 00000001721a12a8 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767b864c 7 bytes JMP 00000001721a1357 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000767b86d1 5 bytes JMP 00000001721a16f4 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000767b8a27 5 bytes JMP 00000001721a101e .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076951d1b 5 bytes JMP 00000001721a11e5 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076951dc9 5 bytes JMP 00000001721a1019 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076952aa4 5 bytes JMP 00000001721a1573 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076952d0a 5 bytes JMP 00000001721a128f .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000768de84e 5 bytes JMP 00000001721a11a9 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000768de86e 5 bytes JMP 00000001721a15e1 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000764e8b9a 5 bytes JMP 00000001721a1046 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000764f4c48 5 bytes JMP 00000001721a10c8 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000764f6bdc 5 bytes JMP 00000001721a1433 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076547bec 1 byte JMP 00000001721a15f0 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo + 2 0000000076547bee 3 bytes {JMP 0xfffffffffbc59a04} .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076175a0b 5 bytes JMP 00000001721a1618 .text C:\Users\Daras\Desktop\kmndvkkx.exe[3316] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000761b590c 5 bytes JMP 00000001721a123f ---- EOF - GMER 2.1 ----