GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-22 18:03:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 TOSHIBA_MQ01ABD050 rev.AX002J 465,76GB Running: dmbbi73s.exe; Driver: C:\Users\Oli\AppData\Local\Temp\pwldapob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000232a00 15 bytes {ADD BL, CH; JMP 0x5} .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000232a10 11 bytes [00, D6, FB, FF, 40, AA, BF, ...] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Security\ekrn.exe[872] C:\WINDOWS\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffc3f7647d0 4 bytes [C3, 00, 00, 00] .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc41626d80 10 bytes JMP 00007ffc3f2c0458 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory 00007ffc3c607750 5 bytes JMP 00007ffc3c5f00d8 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory1 00007ffc3c608ee0 5 bytes JMP 00007ffc3c5f0110 .text C:\WINDOWS\System32\dwm.exe[4420] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory2 00007ffc3c60c650 5 bytes JMP 00007ffc3c5f0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffc417da280 7 bytes JMP 00007ffc3f2c0500 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffc4180caf0 5 bytes JMP 00007ffc3f2c0538 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc41626d80 10 bytes JMP 00007ffc3f2c0458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4220] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc41626d80 10 bytes JMP 00007ffc3f2c0458 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffc417da280 7 bytes JMP 00007ffc3f2c0500 .text C:\Program Files\ESET\ESET Security\egui.exe[4432] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffc4180caf0 5 bytes JMP 00007ffc3f2c0538 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW 00007ffc41626d80 10 bytes JMP 00007ffc3f2c0458 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\SYSTEM32\user32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\SYSTEM32\user32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\SYSTEM32\user32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\WINDOWS\system32\taskhostex.exe[1204] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc41626d80 10 bytes JMP 00007ffc3f2c0458 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffc417da280 7 bytes JMP 00007ffc3f2c0500 .text C:\Windows\System32\igfxpers.exe[2488] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffc4180caf0 5 bytes JMP 00007ffc3f2c0538 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc41626d80 10 bytes JMP 00007ffc3f2c0458 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffc417da280 7 bytes JMP 00007ffc3f2c0500 .text C:\Windows\System32\StikyNot.exe[2588] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffc4180caf0 5 bytes JMP 00007ffc3f2c0538 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc3f763e10 7 bytes JMP 00007ffc3f2c0260 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc3f763e20 7 bytes JMP 00007ffc3f2c0298 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc3f8139b0 7 bytes JMP 00007ffc3f2c0340 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc3f813ef0 7 bytes JMP 00007ffc3f2c02d0 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc3f813fe0 7 bytes JMP 00007ffc3f2c0308 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc3f8406c0 7 bytes JMP 00007ffc3f2c01f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc3f840730 7 bytes JMP 00007ffc3f2c0228 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc3f302020 7 bytes JMP 00007ffc3f2c00d8 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc3f3024f0 5 bytes JMP 00007ffc3f2c0180 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc3f3043d0 5 bytes JMP 00007ffc3f2c0110 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc3f308d10 5 bytes JMP 00007ffc3f2c0148 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc3f37ed00 5 bytes JMP 00007ffc3f2c01b8 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc416355c0 5 bytes JMP 00007ffc3f2c03e8 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc41635680 9 bytes JMP 00007ffc3f2c0378 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc41635850 5 bytes JMP 00007ffc3f2c0420 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc4163b080 5 bytes JMP 00007ffc3f2c03b0 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc3f8b1500 1 byte JMP 00007ffc3f2c0490 .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc3f8b1502 6 bytes {JMP 0xffffffffffa0ef90} .text C:\Program Files\Internet Explorer\iexplore.exe[2388] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc3f8b1750 8 bytes JMP 00007ffc3f2c04c8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3000] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000073eb1003 2 bytes {JMP 0x75} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3000] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000073eb1016 2 bytes {JMP 0x75} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2776] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000073eb1003 2 bytes {JMP 0x75} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2776] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000073eb1016 2 bytes {JMP 0x75} .text C:\Users\Oli\Downloads\dmbbi73s.exe[604] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000073eb1003 2 bytes {JMP 0x75} .text C:\Users\Oli\Downloads\dmbbi73s.exe[604] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000073eb1016 2 bytes {JMP 0x75} ---- Devices - GMER 2.2 ---- Device \Driver\storahci \Device\RaidPort0 ffffe000845fe2c0 Device \Driver\cdrom \Device\CdRom0 ffffe00085b882c0 Device \Driver\storahci \Device\00000031 ffffe000845fe2c0 Device \Driver\storahci \Device\00000032 ffffe000845fe2c0 Device \Driver\storahci \Device\ScsiPort0 ffffe000845fe2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe000845fe2c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe000845fe2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe00085a82060] ffffe00085a82060 Trace 3 CLASSPNP.SYS[fffff8013f89f170] -> nt!IofCallDriver -> [0xffffe00084ffae50] ffffe00084ffae50 Trace 5 ACPI.sys[fffff8013eaabc21] -> nt!IofCallDriver -> \Device\00000031[0xffffe00084ff8060] ffffe00084ff8060 Trace \Driver\storahci[0xffffe00084fff450] -> IRP_MJ_CREATE -> 0xffffe000845fe2c0 ffffe000845fe2c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [4192:4340] fffff9600091a2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 438456158 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6c71d982d1b2 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 650 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7d4cf6b??????????? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 47 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Blocked 47 ---- EOF - GMER 2.2 ----