UAC - samo zmienia się na najwyższy poziom

[EDgar8]

Tak jak w temacie. Nie mogę obniżyć UAC, wcześniej miałem na najniższym.

[Groszexxx]

Jak zmienisz w trybie awaryjnym to też nie zapisze zmiany? 

[EDgar8]

Tak.

[Groszexxx]

Zrób logi w FRST najpierw, info znajdziesz w dziale pomocy doraźnej - obowiązkowe logi. 

[EDgar8]

http://wklej.org/id/209019x
http://wklej.org/id/209020x
http://wklej.org/id/209020x

[Groszexxx]

Minęło 6 dni, zrób proszę jeszcze raz świeże logi. 

Pobierz SystemLook 64 http://jpshortstuff.247fixes.com/SystemLook_x64.exe

i wklej w nim: 

:reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /s

 

A potem zawartość wyniku wklej tutaj. 

[EDgar8]

Tak jak pisałem (lub nie) wpisy się jakby same kasują. 

SystemLook 30.07.11 by jpshortstuff
Log created at 09:50 on 19/03/2016 by Asus
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]
(No values found)


-= EOF =-

Logi są aktualne bo wykonywałem je kiedy chciałem uzyskać pomoc właśnie na ten temat, ale proszę świeże:
http://wklejaj.pl/551x
http://wklejaj.pl/551x

http://wklejaj.pl/551x

[Groszexxx]

W ogóle nie masz wpisów odpowiedzialnych za UAC.  

 

Otwórz notatnik, nazwij go fixreg.reg (Najpierw musisz zmienic widok, wg tej instrukcji http://windows.microsoft.com/pl-pl/windows/show-hide-file-name-extensions#show-hide-file-name-extensions=windows-7)

i wklej do niego: 

 

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableUIADesktopToggle"=dword:00000000
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"FilterAdministratorToken"=dword:00000000
"LocalAccountTokenFilterPolicy"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d 
"CF_DIBV5"=dword:00000011

 

Zapisz, zamknij, następnie kliknij 2x na niego i wprowadź zmiany do rejestru, uruchom ponownie komputer, zmień uac, ponownie uruchom ponownie i zobacz czy zmiany zostaną zachowane. 

 

I trzeba by jeszcze odbudować zaporę zgodnie z zawartością tego tematu https://www.fixitpc.pl/topic/6855-rekonstrukcja-zapory-systemu-windows/

[EDgar8]

Nie poskutkowało.

Nie wiem czy pisałem, ale w safe mode można powiedzieć, że działa.

Więcej można poczytać tutaj: http://forum.komputerswiat.pl/topic/197628-uac-samo-zmienia-się-na-najwyższy-poziom/page-2#entry1190114 nie chcę kopiować screenów i wszystkiego

http://prnt.sc/afkouy

[Groszexxx]

Kolega w ogóle wysuwa złe wnioski. Przecież w trybie awaryjnym działa po dodaniu klucza. Sam pisałeś, że wcześniej w awaryjnym nie działało. Na dokładkę tylko część z nich została na stałe. 

 

Może spróbuj dodać też te klucze (uruchomienie pliku reg, o którym pisałem wyżej - bezpośrednio w trybie awaryjnym) 

 

Druga sprawa, że tutaj nie ma co wróżyć z fusów, potrzeba się opierać na konkretnych informacjach.  Sztuką jest oczywiście wiedzieć, na których. Tak jak pisałem wcześniej - miałeś ogołocone wpisy odnośnie UAC. Widać to w logu FRST. Typ, który Ci pomagal na forum nawet go wkleił, jednakże zabrakło wniosków, że brak wartości oznaczał iż nie miał ich skąd pobrać. Druga sprawa, że to Kolega robi źle, że sprawę prowadzi równolegle w różnych miejscach. To prowadzi do całkowitej dezinformacji. 

Skąd ja mam wiedzieć co Ci radziło tych trzech typów z chata? Co kazali Ci edytować i pozmieniać? 

 

Kolejnym faktem jest uszkodzenie dwóch usług systemowych, a przynajmniej ich wyłączenie. Jestem w trakcie pisania co masz zrobić, ale to potrwa.  

 

Cofniemy kolejność i zaczniemy od przywrócenia tych usług. 

 

I kolejna rzecz - masz może punktu przywracania systemu? Kopie rejestru w C:\Windows\System32\config (jeśli włączyć pokazywanie rozszerzeń to powinny mieć rozszerzenie bak lub iobit, bo widzialem, ze tego programu uzywales) lub w C:\Windows\System32\config\RegBack . Zrób screena i pokaż daty. 

[EDgar8]

Chodzi o to, że w trybie awaryjnym są te klucze, ale i tak zmian żadnych na tryb normalny nie zapisze.
Punktu nie mam.
Inni konsultanci za bardzo nic nie poradzili i nie kazali zmieniać przez jakieś zaawansowane opcje. Tylko polecali np. dysk naprawy, dodanie wpisów czy użycie narzędzia MS.
http://prntscr.com/ahsq4i
http://prntscr.com/ahsqdw
http://prntscr.com/ahsqn1

 

Już piszę. Jedyny użytkownik (Administrator).
http://prntscr.com/ahstco
Patrząc na to to nawet mogę podejrzewać że ten program coś pomajstrował, ale nie zauważałem, żadnych błędów od grudnia, a programu nie aktualizowałem.

[Groszexxx]

Zrób kopie obecnego rejestru za pomocą programu ERUNT http://www.bleepingcomputer.com/download/erunt/dl/97/

Pobierz wersje zip i uruchom Erunt.exe jako administrator, po uruchomieniu programu wciśnij OK. 

Przywróć też za pomocą tego Advanced Care  rejestr do jakiegoś odległego punktu - np. z lutego, możesz też spróbować do pierwszego jaki w ogóle jest dostępny i ponowić procedurę z postu 7. 

 

:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt /s

[EDgar8]

 

 

SystemLook 30.07.11 by jpshortstuff

Log created at 18:39 on 22/03/2016 by Asus

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

(No values found)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]

(No values found)

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt]

"DisplayName"="@%Systemroot%\system32\wbem\wmisvc.dll,-205"

"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"

"Description"="@%Systemroot%\system32\wbem\wmisvc.dll,-204"

"ObjectName"="localSystem"

"ErrorControl"= 0x0000000000 (0)

"Start"= 0x0000000002 (2)

"Type"= 0x0000000020 (32)

"DependOnService"="RPCSS"

"ServiceSidType"= 0x0000000001 (1)

"FailureActions"=80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 c0 d4 01 00 01 00 00 00 e0 93 04 00 00 00 00 00 00 00 00 00  (REG_BINARY)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters]

"ServiceDllUnloadOnStop"= 0x0000000001 (1)

"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

"ServiceMain"="ServiceMain"

 

 

-= EOF =-

 

 

 

Przywracałem aż do 20.02

 

 

SystemLook 30.07.11 by jpshortstuff

Log created at 18:52 on 22/03/2016 by Asus

Administrator - Elevation successful

 

No Context:

 

========== reg ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

(No values found)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]

(No values found)

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt]

"DisplayName"="@%Systemroot%\system32\wbem\wmisvc.dll,-205"

"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"

"Description"="@%Systemroot%\system32\wbem\wmisvc.dll,-204"

"ObjectName"="localSystem"

"ErrorControl"= 0x0000000000 (0)

"Start"= 0x0000000002 (2)

"Type"= 0x0000000020 (32)

"DependOnService"="RPCSS"

"ServiceSidType"= 0x0000000001 (1)

"FailureActions"=80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 c0 d4 01 00 01 00 00 00 e0 93 04 00 00 00 00 00 00 00 00 00 (REG_BINARY)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters]

"ServiceDllUnloadOnStop"= 0x0000000001 (1)

"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

"ServiceMain"="ServiceMain"

 

 

-= EOF =-

 

 

Przywracałem nawet dalej i to w trybie awaryjnym.

 

Może nie działa dlatego, że program przywraca swoje zmiany?

[Groszexxx]

Ta część Advanced Care robi tylko kopie rejestru, nic więcej.

 

Klucz zaś jest w porządku. 

Szukamy dalej, kolejna porcja: 

stwórz plik fixlist w tym samym folderze co FRST i wklej do niego: 

 

CMD: sc query winmgmt

CMD: winmgmt /salvagerepository

ListPermissions: C:\Windows\System32\LogFiles\WMI

ListPermissions: C:\Windows\System32\LogFiles\WMI\RtBackup

następnie zapisz, uruchom frst i kliknij "napraw"

 

Fixlog wstaw tutaj.

[EDgar8]

Rezultat naprawy Farbar Recovery Scan Tool (x64) Wersja:05-03-2016 01

Uruchomiony przez Asus (2016-03-22 21:01:12) Run:1

Uruchomiony z C:\Users\Asus\Desktop

Załadowane profile: Asus (Dostępne profile: Asus & Administrator)

Tryb startu: Normal

==============================================

 

fixlist - zawartość:

*****************

CMD: sc query winmgmt

CMD: winmgmt /salvagerepository

ListPermissions: C:\Windows\System32\LogFiles\WMI

ListPermissions: C:\Windows\System32\LogFiles\WMI\RtBackup

*****************

 

 

========= sc query winmgmt =========

 

 

SERVICE_NAME: winmgmt

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

 

========= Koniec CMD: =========

 

 

========= winmgmt /salvagerepository =========

 

Repozytorium WMI jest spójne.

 

========= Koniec CMD: =========

 

===================================

uprawnienia "C:\Windows\System32\LogFiles\WMI":

 

Owner: BUILTIN\Administrators

 

DACL(PAI):

 

NT AUTHORITY\SYSTEM ALLOW FULL (OI-CI)

NT AUTHORITY\LOCAL SERVICE ALLOW FULL (OI-CI)

NT AUTHORITY\NETWriteOwner+RK SERVICE ALLOW FULL (OI-CI)

BUILTIN\Administrators ALLOW FULL (OI-CI)

LU ALLOW FULL (OI-CI)

 

===================================

===================================

uprawnienia "C:\Windows\System32\LogFiles\WMI\RtBackup":

 

Owner: BUILTIN\Administrators

 

DACL(P):

 

BUILTIN\Administrators ALLOW FULL (OI-CI)

 

===================================

 

==== Koniec Fixlog 21:01:16 ====

[Groszexxx]

Brakuje konta system.

 

CMD: icacls C:\Windows\System32\LogFiles\WMI\RtBackup /grant SYSTEM:F /T

Reboot:

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. System zostanie zresetowany. Powstanie kolejny fixlog.txt.

 

I zrób nowy log w FRST.

[EDgar8]

Rezultat naprawy Farbar Recovery Scan Tool (x64) Wersja:05-03-2016 01
Uruchomiony przez Asus (2016-03-23 14:57:30) Run:2
Uruchomiony z C:\Users\Asus\Desktop
Załadowane profile: Asus (Dostępne profile: Asus & Administrator)
Tryb startu: Normal
==============================================

fixlist - zawartość:
*****************
CMD: icacls C:\Windows\System32\LogFiles\WMI\RtBackup /grant SYSTEM:F /T
Reboot:
*****************


========= icacls C:\Windows\System32\LogFiles\WMI\RtBackup /grant SYSTEM:F /T =========

przetworzono plik: C:\Windows\System32\LogFiles\WMI\RtBackup
przetworzono plik: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
przetworzono plik: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
przetworzono plik: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
przetworzono plik: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
przetworzono plik: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Liczba plików przetworzonych pomyślnie: 6; liczba plików, których przetwarzanie nie powiodło się: 0.

========= Koniec CMD: =========



System wymagał restartu.

==== Koniec Fixlog 14:57:30 ====

 
http://wklej.to/efIX-
http://wklej.to/WeBJ-
http://wklej.to/MXVq-

[Groszexxx]

Zanim naskrobię kolejnego posta, weź zrób proszę profilaktycznie log w Gmer. 

Przeczytaj wszystko uważnie: 

https://www.fixitpc.pl/topic/60-diagnostyka-infekcje-typu-rootkit/

[EDgar8]

OK. Mam Daemon Tools, ale obecnie wyłączony i bez żadnego napędu. Sterownika nie mogę odinstalować, bo pokazuje że go nie ma. (może to być spowodowane starszą wersją)

[Groszexxx]

Rób skan, nie masz sptd. 

[EDgar8]

Właśnie dlatego uruchomiłem:

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-03-23 17:12:42
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST750LM022_HN-M750MBB rev.2BA30001 698,64GB
Running: gmer.exe; Driver: C:\Users\Asus\AppData\Local\Temp\fwlcqaoc.sys


---- Kernel code sections - GMER 2.2 ----

.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f5600 7 bytes [C0, 5F, F3, FF, 41, 6F, F0]
.text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f5608 3 bytes [C0, 06, 02]

---- User code sections - GMER 2.2 ----

.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000779fa400 7 bytes JMP 000000006fff0228
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a03f20 5 bytes JMP 000000006fff0180
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077a1ffe0 5 bytes JMP 000000006fff01b8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a2f390 5 bytes JMP 000000006fff0110
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a59ae0 7 bytes JMP 000000006fff00d8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a69570 5 bytes JMP 000000006fff0148
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077a88890 7 bytes JMP 000000006fff01f0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd942db0 5 bytes JMP 000007fefd910180
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd943700 7 bytes JMP 000007fefd9100d8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd949140 5 bytes JMP 000007fefd910148
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd94a2b0 5 bytes JMP 000007fefd910110
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdc689d0 8 bytes JMP 000007fefd9101f0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdc6be40 8 bytes JMP 000007fefd9101b8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe067470 11 bytes JMP 000007fefd910228
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe07bee0 7 bytes JMP 000007fefd910260
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd942db0 5 bytes JMP 000007fefd910180
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd943700 7 bytes JMP 000007fefd9100d8
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd949140 5 bytes JMP 000007fefd910148
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd94a2b0 5 bytes JMP 000007fefd910110
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdc689d0 8 bytes JMP 000007fefd9101f0
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdc6be40 8 bytes JMP 000007fefd9101b8
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fefa49dc88 5 bytes JMP 000007fefa4700d8
.text C:\Windows\system32\Dwm.exe[1856] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fefa49de10 5 bytes JMP 000007fefa470110
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000774d1f0e 7 bytes JMP 0000000072d03c50
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000774d5bad 7 bytes JMP 0000000072d04290
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000774e1409 7 bytes JMP 0000000072d03ea0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000774eea5d 7 bytes JMP 0000000072d03c40
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077578f8c 7 bytes JMP 0000000072d036c0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077579011 5 bytes JMP 0000000072d03770
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077579367 5 bytes JMP 0000000072d036d0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076fc1e3d 5 bytes JMP 0000000072d03680
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076fc1eeb 5 bytes JMP 0000000072d03640
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076fc2bcd 5 bytes JMP 0000000072d03780
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076fc2e7f 5 bytes JMP 0000000072d03480
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8b9a 5 bytes JMP 0000000072d02b20
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076eb4c48 5 bytes JMP 0000000072d03400
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076eb6bdc 5 bytes JMP 0000000072d03470
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076ef092e 5 bytes JMP 0000000072d02960
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f07bec 5 bytes JMP 0000000072d033e0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757bd2b4 5 bytes JMP 0000000072d02c60
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757bd4ee 5 bytes JMP 0000000072d02c70
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075ef5ea5 5 bytes JMP 0000000072d02ae0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f29ccb 5 bytes JMP 0000000072d02a70
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000072d31003 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1132] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000072d31016 2 bytes [D3, 72]
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd942db0 5 bytes JMP 000007fefd910180
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd943700 7 bytes JMP 000007fefd9100d8
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd949140 5 bytes JMP 000007fefd910148
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd94a2b0 5 bytes JMP 000007fefd910110
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdc689d0 8 bytes JMP 000007fefd9101f0
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdc6be40 8 bytes JMP 000007fefd9101b8
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe067470 11 bytes JMP 000007fefd910228
.text C:\Windows\system32\taskeng.exe[1584] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe07bee0 7 bytes JMP 000007fefd910260
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000774d1f0e 7 bytes JMP 0000000072d03c50
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000774d5bad 7 bytes JMP 0000000072d04290
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000774e1409 7 bytes JMP 0000000072d03ea0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000774eea5d 7 bytes JMP 0000000072d03c40
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077578f8c 7 bytes JMP 0000000072d036c0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077579011 5 bytes JMP 0000000072d03770
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077579367 5 bytes JMP 0000000072d036d0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076fc1e3d 5 bytes JMP 0000000072d03680
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076fc1eeb 5 bytes JMP 0000000072d03640
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076fc2bcd 5 bytes JMP 0000000072d03780
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076fc2e7f 5 bytes JMP 0000000072d03480
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8b9a 5 bytes JMP 0000000072d02b20
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076eb4c48 5 bytes JMP 0000000072d03400
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076eb6bdc 5 bytes JMP 0000000072d03470
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076ef092e 5 bytes JMP 0000000072d02960
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f07bec 5 bytes JMP 0000000072d033e0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757bd2b4 5 bytes JMP 0000000072d02c60
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757bd4ee 5 bytes JMP 0000000072d02c70
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000072d31003 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000072d31016 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075ef5ea5 5 bytes JMP 0000000072d02ae0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2096] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f29ccb 5 bytes JMP 0000000072d02a70
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd942db0 5 bytes JMP 000007fefd910180
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd943700 7 bytes JMP 000007fefd9100d8
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd949140 5 bytes JMP 000007fefd910148
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd94a2b0 5 bytes JMP 000007fefd910110
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdc689d0 8 bytes JMP 000007fefd9101f0
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdc6be40 8 bytes JMP 000007fefd9101b8
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe067470 11 bytes JMP 000007fefd910228
.text C:\Windows\system32\taskeng.exe[2308] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe07bee0 7 bytes JMP 000007fefd910260
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000774d1f0e 7 bytes JMP 0000000072d03c50
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000774d5bad 7 bytes JMP 0000000072d04290
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000774e1409 7 bytes JMP 0000000072d03ea0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000774eea5d 7 bytes JMP 0000000072d03c40
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077578f8c 7 bytes JMP 0000000072d036c0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077579011 5 bytes JMP 0000000072d03770
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077579367 5 bytes JMP 0000000072d036d0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076fc1e3d 5 bytes JMP 0000000072d03680
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076fc1eeb 5 bytes JMP 0000000072d03640
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076fc2bcd 5 bytes JMP 0000000072d03780
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076fc2e7f 5 bytes JMP 0000000072d03480
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8b9a 5 bytes JMP 0000000072d02b20
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076eb4c48 5 bytes JMP 0000000072d03400
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076eb6bdc 5 bytes JMP 0000000072d03470
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076ef092e 5 bytes JMP 0000000072d02960
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f07bec 5 bytes JMP 0000000072d033e0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757bd2b4 5 bytes JMP 0000000072d02c60
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757bd4ee 5 bytes JMP 0000000072d02c70
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075ef5ea5 5 bytes JMP 0000000072d02ae0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f29ccb 5 bytes JMP 0000000072d02a70
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000072d31003 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2440] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000072d31016 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000774d1f0e 7 bytes JMP 0000000072d03c50
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000774d5bad 7 bytes JMP 0000000072d04290
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000774e1409 7 bytes JMP 0000000072d03ea0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000774eea5d 7 bytes JMP 0000000072d03c40
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077578f8c 7 bytes JMP 0000000072d036c0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077579011 5 bytes JMP 0000000072d03770
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077579367 5 bytes JMP 0000000072d036d0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076fc1e3d 5 bytes JMP 0000000072d03680
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076fc1eeb 5 bytes JMP 0000000072d03640
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076fc2bcd 5 bytes JMP 0000000072d03780
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076fc2e7f 5 bytes JMP 0000000072d03480
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8b9a 5 bytes JMP 0000000072d02b20
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076eb4c48 5 bytes JMP 0000000072d03400
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076eb6bdc 5 bytes JMP 0000000072d03470
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076ef092e 5 bytes JMP 0000000072d02960
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f07bec 5 bytes JMP 0000000072d033e0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757bd2b4 5 bytes JMP 0000000072d02c60
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757bd4ee 5 bytes JMP 0000000072d02c70
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000072d31003 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000072d31016 2 bytes [D3, 72]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075ef5ea5 5 bytes JMP 0000000072d02ae0
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2160] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f29ccb 5 bytes JMP 0000000072d02a70
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000774d1f0e 7 bytes JMP 0000000072d03c50
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000774d5bad 7 bytes JMP 0000000072d04290
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000774e1409 7 bytes JMP 0000000072d03ea0
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000774eea5d 7 bytes JMP 0000000072d03c40
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077578f8c 7 bytes JMP 0000000072d036c0
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077579011 5 bytes JMP 0000000072d03770
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077579367 5 bytes JMP 0000000072d036d0
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076fc1e3d 5 bytes JMP 0000000072d03680
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076fc1eeb 5 bytes JMP 0000000072d03640
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076fc2bcd 5 bytes JMP 0000000072d03780
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076fc2e7f 5 bytes JMP 0000000072d03480
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8b9a 5 bytes JMP 0000000072d02b20
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076eb4c48 5 bytes JMP 0000000072d03400
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076eb6bdc 5 bytes JMP 0000000072d03470
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076ef092e 5 bytes JMP 0000000072d02960
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f07bec 5 bytes JMP 0000000072d033e0
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757bd2b4 5 bytes JMP 0000000072d02c60
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757bd4ee 5 bytes JMP 0000000072d02c70
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075ef5ea5 5 bytes JMP 0000000072d02ae0
.text C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe[2196] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f29ccb 5 bytes JMP 0000000072d02a70
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000779fa400 7 bytes JMP 000000006fff0228
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a03f20 5 bytes JMP 000000006fff0180
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077a1ffe0 5 bytes JMP 000000006fff01b8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a2f390 5 bytes JMP 000000006fff0110
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a59ae0 7 bytes JMP 000000006fff00d8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a69570 5 bytes JMP 000000006fff0148
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077a88890 7 bytes JMP 000000006fff01f0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd942db0 5 bytes JMP 000007fefd910180
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd943700 7 bytes JMP 000007fefd9100d8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd949140 5 bytes JMP 000007fefd910148
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd94a2b0 5 bytes JMP 000007fefd910110
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdc689d0 8 bytes JMP 000007fefd9101f0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2492] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdc6be40 8 bytes JMP 000007fefd9101b8
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000774d1f0e 7 bytes JMP 0000000072d03c50
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000774d5bad 7 bytes JMP 0000000072d04290
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000774e1409 7 bytes JMP 0000000072d03ea0
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000774eea5d 7 bytes JMP 0000000072d03c40
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077578f8c 7 bytes JMP 0000000072d036c0
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077579011 5 bytes JMP 0000000072d03770
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077579367 5 bytes JMP 0000000072d036d0
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076fc1e3d 5 bytes JMP 0000000072d03680
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076fc1eeb 5 bytes JMP 0000000072d03640
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076fc2bcd 5 bytes JMP 0000000072d03780
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076fc2e7f 5 bytes JMP 0000000072d03480
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757bd2b4 5 bytes JMP 0000000072d02c60
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757bd4ee 5 bytes JMP 0000000072d02c70
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076eb4c48 5 bytes JMP 0000000072d03400
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076eb6bdc 5 bytes JMP 0000000072d03470
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076ef092e 5 bytes JMP 0000000072d02960
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f07bec 5 bytes JMP 0000000072d033e0
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000072d31003 2 bytes [D3, 72]
.text C:\Users\Asus\Desktop\gmer\gmer.exe[2776] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000072d31016 2 bytes [D3, 72]

---- Registry - GMER 2.2 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8046c75
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8046c75@805719f9031f 0xA2 0x3E 0xC3 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8046c75@78471d512c61 0xBD 0xE1 0xED 0x84 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8046c75 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8046c75@805719f9031f 0xA2 0x3E 0xC3 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8046c75@78471d512c61 0xBD 0xE1 0xED 0x84 ...

---- EOF - GMER 2.2 ----

 

[Groszexxx]

Kolejny krok, odpal cmd jako admin i wklej  pojedynczo te komendy:

winmgmt /standalonehost
winmgmt /resetrepository

winmgmt /verifyrepository

 

I podaj komunikat po tej ostatniej. 

[EDgar8]

Mam nadzieję, że nie ma różnicy to, że mam włączone konto "Administrator" (to ukryte).

Repozytorium WMI jest spójne.

[Groszexxx]

Nie powinno. Zaloguj sie na swoje glowne konto i sam sprawdz. Mogles to od razu zrobic zamiast pytac . 

[EDgar8]

Pokazuje ten sam komunikat.

 

Nie wiem czy ten trop jest prawdziwy, ale na tym odblokowanym koncie administratora UAC było prawidłowe, więc skopiowałem tam wszystkie pliki z tego konta (łącznie z AppData)  a dziś patrzę i UAC jest podwyższone.