GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-25 19:19:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d HGST_HTS545050A7E380 rev.GG2OACA0 465,76GB Running: yoyododr.exe; Driver: C:\Users\HP\AppData\Local\Temp\kgldrpow.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff919d95220 5 bytes JMP 00007ff899ed0480 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff919d952c0 5 bytes JMP 00007ff899ed0470 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff919d95580 5 bytes JMP 00007ff899ed0360 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff919d95620 5 bytes JMP 00007ff899ed0490 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff919d95640 1 byte JMP 00007ff899ed03d0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 00007ff919d95642 3 bytes {JMP 0xffffffff8013ad90} .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff919d957a0 5 bytes JMP 00007ff899ed0310 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff919d95800 5 bytes JMP 00007ff899ed03a0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff919d95840 5 bytes JMP 00007ff899ed0380 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff919d958c0 5 bytes JMP 00007ff899ed02d0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff919d959c0 5 bytes JMP 00007ff899ed02c0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff919d95a00 5 bytes JMP 00007ff899ed0300 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff919d95a80 5 bytes JMP 00007ff899ed03b0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ff919d95b00 5 bytes JMP 00007ff899ed0440 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff919d95b20 5 bytes JMP 00007ff899ed03e0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff919d95db0 5 bytes JMP 00007ff899ed0220 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff919d961b0 5 bytes JMP 00007ff899ed04a0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff919d96210 5 bytes JMP 00007ff899ed0390 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff919d96490 5 bytes JMP 00007ff899ed02e0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff919d964d0 5 bytes JMP 00007ff899ed0340 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff919d965b0 5 bytes JMP 00007ff899ed0280 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff919d966f0 5 bytes JMP 00007ff899ed02a0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff919d96730 1 byte JMP 00007ff899ed03c0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00007ff919d96732 3 bytes {JMP 0xffffffff80139c90} .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff919d96750 5 bytes JMP 00007ff899ed0320 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff919d968b0 5 bytes JMP 00007ff899ed0410 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff919d96910 5 bytes JMP 00007ff899ed0230 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff919d96d30 5 bytes JMP 00007ff899ed03f0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff919d96f90 5 bytes JMP 00007ff899ed01d0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff919d97150 5 bytes JMP 00007ff899ed0240 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff919d971b0 5 bytes JMP 00007ff899ed04b0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff919d971d0 5 bytes JMP 00007ff899ed04c0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff919d97230 5 bytes JMP 00007ff899ed02f0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff919d97250 5 bytes JMP 00007ff899ed0350 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff919d97310 5 bytes JMP 00007ff899ed0290 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff919d973d0 5 bytes JMP 00007ff899ed02b0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff919d97430 5 bytes JMP 00007ff899ed0370 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff919d97450 5 bytes JMP 00007ff899ed0330 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff919d97a70 5 bytes JMP 00007ff899ed0460 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeProcess 00007ff919d97d30 5 bytes JMP 00007ff899ed0420 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff919d97e90 5 bytes JMP 00007ff899ed0250 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff919d97eb0 5 bytes JMP 00007ff899ed0260 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff919d97ef0 5 bytes JMP 00007ff899ed0400 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff919d982d0 5 bytes JMP 00007ff899ed01e0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff919d982f0 5 bytes JMP 00007ff899ed0200 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff919d98410 5 bytes JMP 00007ff899ed01f0 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff919d984f0 5 bytes JMP 00007ff899ed0430 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff919d98510 5 bytes JMP 00007ff899ed0450 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff919d98530 5 bytes JMP 00007ff899ed0210 .text C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff919d98750 5 bytes JMP 00007ff899ed0270 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff919d95220 5 bytes JMP 00007ff899ed0480 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff919d952c0 5 bytes JMP 00007ff899ed0470 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff919d95580 5 bytes JMP 00007ff899ed0360 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff919d95620 5 bytes JMP 00007ff899ed0490 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff919d95640 1 byte JMP 00007ff899ed03d0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 00007ff919d95642 3 bytes {JMP 0xffffffff8013ad90} .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff919d957a0 5 bytes JMP 00007ff899ed0310 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff919d95800 5 bytes JMP 00007ff899ed03a0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff919d95840 5 bytes JMP 00007ff899ed0380 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff919d958c0 5 bytes JMP 00007ff899ed02d0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff919d959c0 5 bytes JMP 00007ff899ed02c0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff919d95a00 5 bytes JMP 00007ff899ed0300 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff919d95a80 5 bytes JMP 00007ff899ed03b0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ff919d95b00 5 bytes JMP 00007ff899ed0440 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff919d95b20 5 bytes JMP 00007ff899ed03e0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff919d95db0 5 bytes JMP 00007ff899ed0220 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff919d961b0 5 bytes JMP 00007ff899ed04a0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff919d96210 5 bytes JMP 00007ff899ed0390 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff919d96490 5 bytes JMP 00007ff899ed02e0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff919d964d0 5 bytes JMP 00007ff899ed0340 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff919d965b0 5 bytes JMP 00007ff899ed0280 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff919d966f0 5 bytes JMP 00007ff899ed02a0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff919d96730 1 byte JMP 00007ff899ed03c0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00007ff919d96732 3 bytes {JMP 0xffffffff80139c90} .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff919d96750 5 bytes JMP 00007ff899ed0320 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff919d968b0 5 bytes JMP 00007ff899ed0410 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff919d96910 5 bytes JMP 00007ff899ed0230 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff919d96d30 5 bytes JMP 00007ff899ed03f0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff919d96f90 5 bytes JMP 00007ff899ed01d0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff919d97150 5 bytes JMP 00007ff899ed0240 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff919d971b0 5 bytes JMP 00007ff899ed04b0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff919d971d0 5 bytes JMP 00007ff899ed04c0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff919d97230 5 bytes JMP 00007ff899ed02f0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff919d97250 5 bytes JMP 00007ff899ed0350 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff919d97310 5 bytes JMP 00007ff899ed0290 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff919d973d0 5 bytes JMP 00007ff899ed02b0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff919d97430 5 bytes JMP 00007ff899ed0370 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff919d97450 5 bytes JMP 00007ff899ed0330 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff919d97a70 5 bytes JMP 00007ff899ed0460 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeProcess 00007ff919d97d30 5 bytes JMP 00007ff899ed0420 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff919d97e90 5 bytes JMP 00007ff899ed0250 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff919d97eb0 5 bytes JMP 00007ff899ed0260 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff919d97ef0 5 bytes JMP 00007ff899ed0400 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff919d982d0 5 bytes JMP 00007ff899ed01e0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff919d982f0 5 bytes JMP 00007ff899ed0200 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff919d98410 5 bytes JMP 00007ff899ed01f0 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff919d984f0 5 bytes JMP 00007ff899ed0430 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff919d98510 5 bytes JMP 00007ff899ed0450 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff919d98530 5 bytes JMP 00007ff899ed0210 .text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff919d98750 5 bytes JMP 00007ff899ed0270 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff919d95220 5 bytes JMP 00007ff899ed0480 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff919d952c0 5 bytes JMP 00007ff899ed0470 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff919d95580 5 bytes JMP 00007ff899ed0360 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff919d95620 5 bytes JMP 00007ff899ed0490 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff919d95640 1 byte JMP 00007ff899ed03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 00007ff919d95642 3 bytes {JMP 0xffffffff8013ad90} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff919d957a0 5 bytes JMP 00007ff899ed0310 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff919d95800 5 bytes JMP 00007ff899ed03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff919d95840 5 bytes JMP 00007ff899ed0380 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff919d958c0 5 bytes JMP 00007ff899ed02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff919d959c0 5 bytes JMP 00007ff899ed02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff919d95a00 5 bytes JMP 00007ff899ed0300 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff919d95a80 5 bytes JMP 00007ff899ed03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ff919d95b00 5 bytes JMP 00007ff899ed0440 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff919d95b20 5 bytes JMP 00007ff899ed03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff919d95db0 5 bytes JMP 00007ff899ed0220 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff919d961b0 5 bytes JMP 00007ff899ed04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff919d96210 5 bytes JMP 00007ff899ed0390 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff919d96490 5 bytes JMP 00007ff899ed02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff919d964d0 5 bytes JMP 00007ff899ed0340 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff919d965b0 5 bytes JMP 00007ff899ed0280 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff919d966f0 5 bytes JMP 00007ff899ed02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff919d96730 1 byte JMP 00007ff899ed03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00007ff919d96732 3 bytes {JMP 0xffffffff80139c90} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff919d96750 5 bytes JMP 00007ff899ed0320 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff919d968b0 5 bytes JMP 00007ff899ed0410 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff919d96910 5 bytes JMP 00007ff899ed0230 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff919d96d30 5 bytes JMP 00007ff899ed03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff919d96f90 5 bytes JMP 00007ff899ed01d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff919d97150 5 bytes JMP 00007ff899ed0240 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff919d971b0 5 bytes JMP 00007ff899ed04b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff919d971d0 5 bytes JMP 00007ff899ed04c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff919d97230 5 bytes JMP 00007ff899ed02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff919d97250 5 bytes JMP 00007ff899ed0350 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff919d97310 5 bytes JMP 00007ff899ed0290 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff919d973d0 5 bytes JMP 00007ff899ed02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff919d97430 5 bytes JMP 00007ff899ed0370 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff919d97450 5 bytes JMP 00007ff899ed0330 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff919d97a70 5 bytes JMP 00007ff899ed0460 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeProcess 00007ff919d97d30 5 bytes JMP 00007ff899ed0420 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff919d97e90 5 bytes JMP 00007ff899ed0250 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff919d97eb0 5 bytes JMP 00007ff899ed0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff919d97ef0 5 bytes JMP 00007ff899ed0400 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff919d982d0 5 bytes JMP 00007ff899ed01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff919d982f0 5 bytes JMP 00007ff899ed0200 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff919d98410 5 bytes JMP 00007ff899ed01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff919d984f0 5 bytes JMP 00007ff899ed0430 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff919d98510 5 bytes JMP 00007ff899ed0450 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff919d98530 5 bytes JMP 00007ff899ed0210 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1624] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff919d98750 5 bytes JMP 00007ff899ed0270 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [636] entry point in ".rdata" section 000000006e588fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2140] entry point in ".rdata" section 00000000727acaf0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2204] entry point in ".rdata" section 000000006e588fa0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3836] entry point in ".rdata" section 000000006e588fa0 ? C:\Windows\SYSTEM32\iertutil.dll [3836] entry point in ".rdata" section 00000000727acaf0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [3836] entry point in ".rdata" section 000000006c76bc40 ? C:\WINDOWS\SYSTEM32\apphelp.dll [3836] entry point in ".rdata" section 000000006d870380 ? C:\WINDOWS\system32\mssprxy.dll [3836] entry point in ".rdata" section 000000006f19a4e0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3868] entry point in ".rdata" section 000000006e588fa0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff919d95220 5 bytes JMP 00007ff899ed0480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff919d952c0 5 bytes JMP 00007ff899ed0470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff919d95580 5 bytes JMP 00007ff899ed0360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff919d95620 5 bytes JMP 00007ff899ed0490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff919d95640 1 byte JMP 00007ff899ed03d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 00007ff919d95642 3 bytes {JMP 0xffffffff8013ad90} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff919d957a0 5 bytes JMP 00007ff899ed0310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff919d95800 5 bytes JMP 00007ff899ed03a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff919d95840 5 bytes JMP 00007ff899ed0380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff919d958c0 5 bytes JMP 00007ff899ed02d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff919d959c0 5 bytes JMP 00007ff899ed02c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff919d95a00 5 bytes JMP 00007ff899ed0300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff919d95a80 5 bytes JMP 00007ff899ed03b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ff919d95b00 5 bytes JMP 00007ff899ed0440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff919d95b20 5 bytes JMP 00007ff899ed03e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff919d95db0 5 bytes JMP 00007ff899ed0220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff919d961b0 5 bytes JMP 00007ff899ed04a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff919d96210 5 bytes JMP 00007ff899ed0390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff919d96490 5 bytes JMP 00007ff899ed02e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff919d964d0 5 bytes JMP 00007ff899ed0340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff919d965b0 5 bytes JMP 00007ff899ed0280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff919d966f0 5 bytes JMP 00007ff899ed02a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff919d96730 1 byte JMP 00007ff899ed03c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00007ff919d96732 3 bytes {JMP 0xffffffff80139c90} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff919d96750 5 bytes JMP 00007ff899ed0320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff919d968b0 5 bytes JMP 00007ff899ed0410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff919d96910 5 bytes JMP 00007ff899ed0230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff919d96d30 5 bytes JMP 00007ff899ed03f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff919d96f90 5 bytes JMP 00007ff899ed01d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff919d97150 5 bytes JMP 00007ff899ed0240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff919d971b0 5 bytes JMP 00007ff899ed04b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff919d971d0 5 bytes JMP 00007ff899ed04c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff919d97230 5 bytes JMP 00007ff899ed02f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff919d97250 5 bytes JMP 00007ff899ed0350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff919d97310 5 bytes JMP 00007ff899ed0290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff919d973d0 5 bytes JMP 00007ff899ed02b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff919d97430 5 bytes JMP 00007ff899ed0370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff919d97450 5 bytes JMP 00007ff899ed0330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff919d97a70 5 bytes JMP 00007ff899ed0460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeProcess 00007ff919d97d30 5 bytes JMP 00007ff899ed0420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff919d97e90 5 bytes JMP 00007ff899ed0250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff919d97eb0 5 bytes JMP 00007ff899ed0260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff919d97ef0 5 bytes JMP 00007ff899ed0400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff919d982d0 5 bytes JMP 00007ff899ed01e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff919d982f0 5 bytes JMP 00007ff899ed0200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff919d98410 5 bytes JMP 00007ff899ed01f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff919d984f0 5 bytes JMP 00007ff899ed0430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff919d98510 5 bytes JMP 00007ff899ed0450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff919d98530 5 bytes JMP 00007ff899ed0210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5892] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff919d98750 5 bytes JMP 00007ff899ed0270 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6516] entry point in ".rdata" section 00000000727acaf0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6516] entry point in ".rdata" section 000000006e588fa0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6684] entry point in ".rdata" section 000000006e588fa0 ? C:\WINDOWS\system32\apphelp.dll [8700] entry point in ".rdata" section 000000006d870380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [8700] entry point in ".rdata" section 000000006c76bc40 ? C:\WINDOWS\system32\apphelp.dll [5124] entry point in ".rdata" section 000000006d870380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [700:728] fffff96041204060 Thread C:\WINDOWS\system32\svchost.exe [1100:2852] 00007ff90aa91240 Thread C:\WINDOWS\system32\svchost.exe [1100:2868] 00007ff90abf9490 Thread C:\WINDOWS\system32\svchost.exe [1100:2904] 00007ff90a8e29b0 Thread C:\WINDOWS\system32\svchost.exe [1100:3520] 00007ff9088c3d30 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [628:5836] 00007ff8fb002220 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [628:5168] 00007ff8fafe7a50 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [628:5248] 00007ff8fb053290 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [628:5188] 00007ff8fafeff40 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [628:4204] 00007ff8fb053290 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [628:4596] 00007ff8fb04ffe0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 559472217 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\485ab667dfee Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x49 0x69 0xE7 0xC5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x49 0xD1 0xAB 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x49 0x01 0x23 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x44 0x92 0x0F 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----