GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-01 19:52:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e ATA_____ rev.1A01 931,51GB Running: 9r4hbng8.exe; Driver: C:\Users\admin\AppData\Local\Temp\awddakog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdca2db0 5 bytes JMP 000007fffdc90180 .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdca37d0 7 bytes JMP 000007fffdc900d8 .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdca8ef0 6 bytes JMP 000007fffdc90148 .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdcbaf60 5 bytes JMP 000007fffdc90110 .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe7789f0 8 bytes JMP 000007fffdc901f0 .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe77be50 8 bytes JMP 000007fffdc901b8 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076e41f0e 7 bytes JMP 0000000172fd3d10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076e45bad 7 bytes JMP 0000000172fd46b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076e51409 7 bytes JMP 0000000172fd4050 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076e5ea45 7 bytes JMP 0000000172fd3d00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076ee8e24 7 bytes JMP 0000000172fd37c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076ee8ea9 5 bytes JMP 0000000172fd3870 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076ee91ff 5 bytes JMP 0000000172fd37d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077891d29 5 bytes JMP 0000000172fd3780 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077891dd7 5 bytes JMP 0000000172fd3740 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077892ab1 5 bytes JMP 0000000100f02ac0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077892d17 5 bytes JMP 0000000172fd3560 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077338a29 5 bytes JMP 0000000172fd2c50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077344572 5 bytes JMP 0000000172fd34e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007735e567 5 bytes JMP 0000000172fd3550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000773807d7 5 bytes JMP 0000000172fd2a60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077397a5c 5 bytes JMP 0000000172fd34d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075a4e96b 5 bytes JMP 0000000172fd2d70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3656] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075a4eba5 5 bytes JMP 0000000172fd2d80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000076e41f0e 7 bytes JMP 0000000172fd3d10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000076e45bad 7 bytes JMP 0000000172fd46b0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000076e51409 7 bytes JMP 0000000172fd4050 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 0000000076e5ea45 7 bytes JMP 0000000172fd3d00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000076ee8e24 7 bytes JMP 0000000172fd37c0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000076ee8ea9 5 bytes JMP 0000000172fd3870 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000076ee91ff 5 bytes JMP 0000000172fd37d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077891d29 5 bytes JMP 0000000172fd3780 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077891dd7 5 bytes JMP 0000000172fd3740 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077892ab1 5 bytes JMP 0000000172fd3880 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077892d17 5 bytes JMP 0000000172fd3560 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077338a29 5 bytes JMP 0000000172fd2c50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077344572 5 bytes JMP 0000000172fd34e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007735e567 5 bytes JMP 0000000172fd3550 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000773807d7 5 bytes JMP 0000000172fd2a60 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5988] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077397a5c 5 bytes JMP 0000000172fd34d0 .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077cd1380 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077cd1550 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cd1650 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cd1700 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cd1750 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cd1790 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cd1d30 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077cd2130 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cd25c0 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cd27e0 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cd29a0 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077cd29c0 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077cd1380 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077cd1550 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cd1650 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cd1700 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cd1750 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cd1790 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cd1d30 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077cd2130 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cd25c0 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cd27e0 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cd29a0 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077cd29c0 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000077a6a400 7 bytes JMP 000000016fff0228 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a73f20 5 bytes JMP 000000016fff0180 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077a8ffb0 5 bytes JMP 000000016fff01b8 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a9f2e0 5 bytes JMP 000000016fff0110 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ac9a30 7 bytes JMP 000000016fff00d8 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ad94c0 5 bytes JMP 000000016fff0148 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077af87e0 7 bytes JMP 000000016fff01f0 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdca2db0 5 bytes JMP 000007fffdbe0180 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdca37d0 7 bytes JMP 000007fffdbe00d8 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdca8ef0 6 bytes JMP 000007fffdbe0148 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdcbaf60 5 bytes JMP 000007fffdbe0110 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe7789f0 8 bytes JMP 000007fffdbe01f0 .text C:\Users\admin\Desktop\logi\FRST64.exe[3456] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe77be50 8 bytes JMP 000007fffdbe01b8 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 0000000077e7fc81 3 bytes [BC, 3A, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077e7fc85 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 0000000077e7fe15 3 bytes [65, 39, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 0000000077e7fe19 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 0000000077e7ff25 3 bytes [F8, 39, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 0000000077e7ff29 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 0000000077e7ffa5 3 bytes [ED, 3A, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077e7ffa9 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077e80005 3 bytes [96, 39, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077e80009 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 0000000077e808a5 3 bytes [C7, 39, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 0000000077e808a9 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077e80ed9 3 bytes [1E, 3B, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077e80edd 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 0000000077e815d5 3 bytes [29, 3A, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 0000000077e815d9 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077e81921 3 bytes [5A, 3A, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077e81925 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077e81be5 3 bytes [80, 3B, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077e81be9 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077e81c15 3 bytes [4F, 3B, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077e81c19 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076e41f0e 7 bytes JMP 0000000172fd3d10 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076e45bad 7 bytes JMP 0000000172fd46b0 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076e51409 7 bytes JMP 0000000172fd4050 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076e5ea45 7 bytes JMP 0000000172fd3d00 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076ee8e24 7 bytes JMP 0000000172fd37c0 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076ee8ea9 5 bytes JMP 0000000172fd3870 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076ee91ff 5 bytes JMP 0000000172fd37d0 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077891d29 5 bytes JMP 0000000172fd3780 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077891dd7 5 bytes JMP 0000000172fd3740 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077892ab1 5 bytes JMP 0000000172fd3880 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077892d17 5 bytes JMP 0000000172fd3560 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075a4e96b 5 bytes JMP 0000000172fd2d70 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075a4eba5 5 bytes JMP 0000000172fd2d80 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000773372a5 3 bytes [13, 3C, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000773372a9 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077338a29 5 bytes JMP 0000000172fd2c50 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000077338be0 3 bytes [44, 3C, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000077338be4 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000077341286 3 bytes [E2, 3B, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007734128a 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077344572 5 bytes JMP 0000000172fd34e0 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007735e567 5 bytes JMP 0000000172fd3550 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007735ff4b 3 bytes [75, 3C, 19] .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007735ff4f 2 bytes {JMP RAX} .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000773807d7 5 bytes JMP 0000000172fd2a60 .text C:\Users\admin\Desktop\logi\9r4hbng8.exe[5944] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077397a5c 5 bytes JMP 0000000172fd34d0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????????#???? ???????U?????????????,????????X???V?????????????????????????????????????????????????X?????????????????DISPLAY\LGD03DE\4&11b9bcd7&0&12345678&00&02??????????????n??? ??lu??????? ?????????????????????,??????????????#?????????????????????????\\?\DISPLAY#LGD03DE#4&11b9bcd7&0&12345678&00&02#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}??????????????#???? ???????T?????????????,?????????? ?&???????????????????????? ???????????????????/?,??2?????????w????????????????????????????????????????????????????????????}??msmouse.inf:MSMfg.NTamd64:HID_Mouse_Inst:6.1.7600.16385::hid_device_system_mouse????SAMSUNG_Android?????????????? ???????????????????/?,??????????????????????????e?????@hal.inf,%gendev_mfg%;(Komputery standardowe)???????????????????6.1.7600.16385???????????????j?????e?u??FF??????????????????? \??????I??????????????????????????????????????????????? ???????????????????/?,??2?????????w????????????????????????????????????????????????????????????}??msmouse.inf:MSMfg.NTamd64:HID_Mouse_Inst:6.1.7600.16385 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\543530965c14 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\543530965c14 (not active ControlSet) ---- EOF - GMER 2.1 ----