GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-23 21:35:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST750LM022_HN-M750MBB rev.2BA30001 698,64GB Running: l3ynmntp.exe; Driver: C:\Users\Asus\AppData\Local\Temp\fwlcqaoc.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8046c75 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8046c75 (not active ControlSet) ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1868] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 00000000736f1003 2 bytes [6F, 73] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1920] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 00000000736f1003 2 bytes [6F, 73] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1928] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 00000000736f1003 2 bytes [6F, 73] .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 00000000736f1003 2 bytes [6F, 73] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1868] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 00000000736f1016 2 bytes [6F, 73] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1920] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 00000000736f1016 2 bytes [6F, 73] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1928] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 00000000736f1016 2 bytes [6F, 73] .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 00000000736f1016 2 bytes [6F, 73] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000755c1e4c 5 bytes JMP 00000000736b47b0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000755c1e4c 5 bytes JMP 00000000736b47b0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000755c1efa 5 bytes JMP 00000000736b46c0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000755c1efa 5 bytes JMP 00000000736b46c0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000755c2bdc 5 bytes JMP 00000000736b4a80 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000755c2bdc 5 bytes JMP 000000007390b0a6 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000755c2e7e 5 bytes JMP 00000000736b43b0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000755c2e7e 5 bytes JMP 000000007390b110 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075a0e74f 5 bytes JMP 00000000736b39c0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075a0e74f 5 bytes JMP 00000000736b39c0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075a0e989 5 bytes JMP 00000000736b39d0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075a0e989 5 bytes JMP 00000000736b39d0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075a88a29 5 bytes JMP 00000000736b3880 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075a95645 5 bytes JMP 00000000736b4340 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075a95645 5 bytes JMP 00000000736b4340 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075aaf631 5 bytes JMP 00000000736b43a0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075aaf631 5 bytes JMP 00000000736b43a0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075ad0867 5 bytes JMP 00000000736b3600 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075ad0867 5 bytes JMP 00000000736b3600 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075ae7af4 5 bytes JMP 00000000736b4310 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075ae7af4 5 bytes JMP 00000000736b4310 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077501eee 7 bytes JMP 00000000736b5270 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077501eee 7 bytes JMP 00000000736b5270 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077501eee 7 bytes JMP 00000000736b5270 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077501eee 7 bytes JMP 00000000736b5270 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077505b85 7 bytes JMP 00000000736b58b0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077505b85 7 bytes JMP 00000000736b58b0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077505b85 7 bytes JMP 00000000736b58b0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077505b85 7 bytes JMP 00000000736b58b0 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077511409 7 bytes JMP 00000000736b54c0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077511409 7 bytes JMP 00000000736b54c0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077511409 7 bytes JMP 00000000736b54c0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077511409 7 bytes JMP 00000000736b54c0 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007751ea5d 7 bytes JMP 00000000736b5260 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007751ea5d 7 bytes JMP 00000000736b5260 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007751ea5d 7 bytes JMP 00000000736b5260 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007751ea5d 7 bytes JMP 00000000736b5260 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000775a90c4 7 bytes JMP 00000000736b4890 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000775a90c4 7 bytes JMP 00000000736b4890 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000775a90c4 7 bytes JMP 00000000736b4890 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000775a90c4 7 bytes JMP 00000000736b4890 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000775a9149 5 bytes JMP 00000000736b4a70 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000775a9149 5 bytes JMP 00000000736b4a70 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000775a9149 5 bytes JMP 00000000736b4a70 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000775a9149 5 bytes JMP 00000000736b4a70 .text C:\Users\Asus\AppData\Local\FluxSoftware\Flux\flux.exe[1696] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000775a949f 5 bytes JMP 00000000736b48a0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2140] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000775a949f 5 bytes JMP 00000000736b48a0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[464] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000775a949f 5 bytes JMP 00000000736b48a0 .text C:\Users\Asus\Desktop\l3ynmntp.exe[2340] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000775a949f 5 bytes JMP 00000000736b48a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007775a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007775a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077763f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077763f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007777ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007777ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007778f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007778f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000777b9c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000777b9c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000777c9710 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000777c9710 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2980] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000777e8ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000777e8ab0 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7d4dc88 5 bytes JMP 000007fef7b400d8 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7d4de10 5 bytes JMP 000007fef7b40110 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefec08830 8 bytes JMP 000007fefd8101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefec08830 8 bytes JMP 000007fefd8101f0 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefec0b9e0 8 bytes JMP 000007fefd8101b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2904] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefec0b9e0 8 bytes JMP 000007fefd8101b8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8046c75@805719f9031f 0xA2 0x3E 0xC3 0xA5 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8046c75@805719f9031f 0xA2 0x3E 0xC3 0xA5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8046c75@78471d512c61 0xC6 0x4A 0xB3 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8046c75@78471d512c61 0xC6 0x4A 0xB3 0x81 ... ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e5900 7 bytes [80, 4F, F3, FF, 01, 5B, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e5908 3 bytes [C0, 06, 02] ---- Files - GMER 2.2 ---- File C:\Users\Asus\AppData\Local\Opera Software\Opera Stable\Cache\f_002a3f 0 bytes File C:\Users\Asus\AppData\Local\Opera Software\Opera Stable\Cache\f_002a40 0 bytes ---- EOF - GMER 2.2 ----