GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-23 11:38:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: hz9sfvui.exe; Driver: C:\Users\acer\AppData\Local\Temp\fwtcqaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[1076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d31465 2 bytes [D3, 76] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[1076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d314bb 2 bytes [D3, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074e61a22 2 bytes [E6, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074e61ad0 2 bytes [E6, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074e61b08 2 bytes [E6, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074e61bba 2 bytes [E6, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074e61bda 2 bytes [E6, 74] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d31465 2 bytes [D3, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d314bb 2 bytes [D3, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d31465 2 bytes [D3, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d314bb 2 bytes [D3, 76] .text ... * 2 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076811f1e 7 bytes JMP 00000001732a16b3 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076815bb5 7 bytes JMP 00000001732a11cc .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076821411 7 bytes JMP 00000001732a12a8 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007682ea3d 1 byte JMP 00000001732a1262 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW + 2 000000007682ea3f 5 bytes {JMP 0xfffffffffca72825} .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007683b203 5 bytes JMP 00000001732a15c8 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000768b88dc 7 bytes JMP 00000001732a1357 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000768b8961 5 bytes JMP 00000001732a16f4 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000768b8cb7 5 bytes JMP 00000001732a101e .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076cf130f 5 bytes JMP 00000001732a11e5 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076cf13bd 5 bytes JMP 00000001732a1019 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076cf2097 5 bytes JMP 00000001732a1573 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076cf22fd 5 bytes JMP 00000001732a128f .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ee8a29 5 bytes JMP 00000001732a1046 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ef4572 5 bytes JMP 00000001732a10c8 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076f0e567 5 bytes JMP 00000001732a1433 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f47a5c 5 bytes JMP 00000001732a15f0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076a7e9a2 5 bytes JMP 00000001732a15e1 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076a7ebdc 5 bytes JMP 00000001732a11a9 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076625ea5 5 bytes JMP 00000001732a1618 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[4252] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076659d0b 5 bytes JMP 00000001732a123f .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007754af40 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077554a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775729a0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007757efc0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775a99a0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775b94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000775b9630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000775da4f0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe233450 1 byte JMP 000007fffe2200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW + 2 000007fefe233452 5 bytes {JMP 0xfffffffffffecc88} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe239180 5 bytes JMP 000007fffe220180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe239320 5 bytes JMP 000007fffe220110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe23c5e0 6 bytes JMP 000007fffe220148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefeda89e0 8 bytes JMP 000007fffe2201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedabe40 8 bytes JMP 000007fffe2201b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe707490 11 bytes JMP 000007fffe220228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3752] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe71bf00 7 bytes JMP 000007fffe220260 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe233450 1 byte JMP 000007fffe2200d8 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW + 2 000007fefe233452 5 bytes {JMP 0xfffffffffffecc88} .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe239180 5 bytes JMP 000007fffe220180 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe239320 5 bytes JMP 000007fffe220110 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe23c5e0 6 bytes JMP 000007fffe220148 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefeda89e0 8 bytes JMP 000007fffe2201f0 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedabe40 8 bytes JMP 000007fffe2201b8 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef85c4da4 7 bytes JMP 000007fff85b00d8 .text C:\Windows\system32\Dwm.exe[6028] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef85e9af4 7 bytes JMP 000007fff85b0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007754af40 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077554a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775729a0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007757efc0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775a99a0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775b94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000775b9630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000775da4f0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe233450 1 byte JMP 000007fffe2200d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW + 2 000007fefe233452 5 bytes {JMP 0xfffffffffffecc88} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe239180 5 bytes JMP 000007fffe220180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe239320 5 bytes JMP 000007fffe220110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe23c5e0 6 bytes JMP 000007fffe220148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefeda89e0 8 bytes JMP 000007fffe2201f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedabe40 8 bytes JMP 000007fffe2201b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe707490 11 bytes JMP 000007fffe220228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4400] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe71bf00 7 bytes JMP 000007fffe220260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007754af40 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077554a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775729a0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007757efc0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775a99a0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775b94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000775b9630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000775da4f0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe233450 1 byte JMP 000007fffe2200d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW + 2 000007fefe233452 5 bytes {JMP 0xfffffffffffecc88} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe239180 5 bytes JMP 000007fffe220180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe239320 5 bytes JMP 000007fffe220110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe23c5e0 6 bytes JMP 000007fffe220148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe707490 11 bytes JMP 000007fffe220228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe71bf00 7 bytes JMP 000007fffe220260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefeda89e0 8 bytes JMP 000007fffe2201f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4612] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedabe40 8 bytes JMP 000007fffe2201b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007754af40 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077554a60 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775729a0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007757efc0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775a99a0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775b94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000775b9630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000775da4f0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe233450 1 byte JMP 000007fffe2200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW + 2 000007fefe233452 5 bytes {JMP 0xfffffffffffecc88} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe239180 5 bytes JMP 000007fffe220180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe239320 5 bytes JMP 000007fffe220110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe23c5e0 6 bytes JMP 000007fffe220148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefeda89e0 8 bytes JMP 000007fffe2201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2292] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedabe40 8 bytes JMP 000007fffe2201b8 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe233450 1 byte JMP 000007fffe2200d8 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW + 2 000007fefe233452 5 bytes {JMP 0xfffffffffffecc88} .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe239180 5 bytes JMP 000007fffe220180 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe239320 5 bytes JMP 000007fffe220110 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe23c5e0 6 bytes JMP 000007fffe220148 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefeda89e0 8 bytes JMP 000007fffe2201f0 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedabe40 8 bytes JMP 000007fffe2201b8 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe707490 11 bytes JMP 000007fffe220228 .text C:\Windows\system32\taskeng.exe[4240] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe71bf00 7 bytes JMP 000007fffe220260 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076811f1e 7 bytes JMP 00000001732a16b3 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076815bb5 7 bytes JMP 00000001732a11cc .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076821411 7 bytes JMP 00000001732a12a8 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007682ea3d 1 byte JMP 00000001732a1262 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW + 2 000000007682ea3f 5 bytes {JMP 0xfffffffffca72825} .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007683b203 5 bytes JMP 00000001732a15c8 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000768b88dc 7 bytes JMP 00000001732a1357 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000768b8961 5 bytes JMP 00000001732a16f4 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000768b8cb7 5 bytes JMP 00000001732a101e .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076cf130f 5 bytes JMP 00000001732a11e5 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076cf13bd 5 bytes JMP 00000001732a1019 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076cf2097 5 bytes JMP 00000001732a1573 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076cf22fd 5 bytes JMP 00000001732a128f .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076a7e9a2 5 bytes JMP 00000001732a15e1 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076a7ebdc 5 bytes JMP 00000001732a11a9 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ee8a29 5 bytes JMP 00000001732a1046 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ef4572 5 bytes JMP 00000001732a10c8 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076f0e567 5 bytes JMP 00000001732a1433 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076f47a5c 5 bytes JMP 00000001732a15f0 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076625ea5 5 bytes JMP 00000001732a1618 .text C:\Users\acer\Desktop\programy\hz9sfvui.exe[6120] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076659d0b 5 bytes JMP 00000001732a123f ---- EOF - GMER 2.1 ----