GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-19 08:06:35 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003c Hitachi_HTS545050A7E380 rev.GG2OA6C0 465,76GB Running: l7kloeln.exe; Driver: C:\Users\DOMDZ_~1\AppData\Local\Temp\awdirpog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\wbem\WmiApSrv.exe[6924] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe0982169a 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\wbem\WmiApSrv.exe[6924] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe098216a2 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\wbem\WmiApSrv.exe[6924] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe0982181a 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\wbem\WmiApSrv.exe[6924] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe09821832 4 bytes [82, 09, FE, 7F] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffe092e9318 7 bytes JMP 00007fff07540538 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffe092ecbe0 7 bytes JMP 00007fff07540500 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4204] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\WINDOWS\system32\nvvsvc.exe[2748] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe0982169a 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[2748] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe098216a2 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[2748] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe0982181a 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[2748] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe09821832 4 bytes [82, 09, FE, 7F] .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\SYSTEM32\user32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\SYSTEM32\user32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\WINDOWS\system32\taskhostex.exe[5700] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffe092e9318 7 bytes JMP 00007fff07540538 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffe092ecbe0 7 bytes JMP 00007fff07540500 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\Windows\System32\skydrive.exe[3584] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffe092e9318 7 bytes JMP 00007fff07540538 .text D:\TortoiseSVN\bin\TSVNCache.exe[4564] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffe092ecbe0 7 bytes JMP 00007fff07540500 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffe092e9318 7 bytes JMP 00007fff07540538 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4088] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffe092ecbe0 7 bytes JMP 00007fff07540500 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffe092e9318 7 bytes JMP 00007fff07540538 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffe092ecbe0 7 bytes JMP 00007fff07540500 .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe0982169a 4 bytes [82, 09, FE, 7F] .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe098216a2 4 bytes [82, 09, FE, 7F] .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe0982181a 4 bytes [82, 09, FE, 7F] .text C:\Windows\System32\igfxpers.exe[2160] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe09821832 4 bytes [82, 09, FE, 7F] .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffe092e9318 7 bytes JMP 00007fff07540538 .text C:\Windows\System32\StikyNot.exe[3200] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffe092ecbe0 7 bytes JMP 00007fff07540500 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\SYSTEM32\user32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\SYSTEM32\user32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2872] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[3932] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe[5884] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Windows\System32\SettingSyncHost.exe[80] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe09ff28c0 7 bytes JMP 00007fff07540260 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe09ff43d8 7 bytes JMP 00007fff07540298 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe0a0a1f20 7 bytes JMP 00007fff07540308 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe0a0a40b4 7 bytes JMP 00007fff07540340 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe0a0a4510 7 bytes JMP 00007fff075402d0 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe0a0ccea0 7 bytes JMP 00007fff075401f0 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe0a0ccf10 7 bytes JMP 00007fff07540228 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe0755299c 7 bytes JMP 00007fff075400d8 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe075554c8 5 bytes JMP 00007fff07540180 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe075555b0 5 bytes JMP 00007fff07540148 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe07555e58 5 bytes JMP 00007fff07540110 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe075c6200 5 bytes JMP 00007fff075401b8 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffdfcec1f6a 4 bytes [EC, FC, FD, 7F] .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffdfcec1f82 4 bytes [EC, FC, FD, 7F] .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe0982169a 4 bytes [82, 09, FE, 7F] .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe098216a2 4 bytes [82, 09, FE, 7F] .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe0982181a 4 bytes [82, 09, FE, 7F] .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe09821832 4 bytes [82, 09, FE, 7F] .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe09c47834 10 bytes JMP 00007fff07540420 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe09c4b4d0 5 bytes JMP 00007fff075403b0 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe09c4c6d8 5 bytes JMP 00007fff075403e8 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe09c4c8fc 5 bytes JMP 00007fff07540458 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe09c4e39c 9 bytes JMP 00007fff07540378 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe07b91500 1 byte JMP 00007fff07540490 .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe07b91502 6 bytes {JMP 0xffffffffff9aef90} .text C:\Users\domdz_000\Downloads\FRST64.exe[5556] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe07b91750 8 bytes JMP 00007fff075404c8 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [7008:5696] fffff96000961b90 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1020:7004] 00000000005b1e1e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1020:4516] 0000000070eca301 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----