GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-18 17:18:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE4O 698,64GB Running: gmer.exe; Driver: C:\Users\WONIAK~1\AppData\Local\Temp\pwldapoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000d5a00 7 bytes [80, 50, F3, FF, C1, 5C, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d5a08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\Dwm.exe[1848] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1c8830 8 bytes JMP 000007fefce201f0 .text C:\Windows\system32\Dwm.exe[1848] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1cb9e0 8 bytes JMP 000007fefce201b8 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076921f0e 7 bytes JMP 00000000729e3c50 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076925bad 7 bytes JMP 00000000729e4290 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076931431 7 bytes JMP 00000000729e3ea0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007693ea85 7 bytes JMP 00000000729e3c40 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000769c906c 7 bytes JMP 00000000729e36c0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000769c90f1 5 bytes JMP 00000000729e3770 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000769c9447 5 bytes JMP 00000000729e36d0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075501e4c 5 bytes JMP 00000000729e3680 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075501efa 5 bytes JMP 00000000729e3640 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502bdc 5 bytes JMP 00000000729e3780 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2864] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075502e7e 5 bytes JMP 00000000729e3480 .text C:\Windows\system32\taskeng.exe[6108] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd8c6d10 3 bytes JMP 000007fefce20228 .text C:\Windows\system32\taskeng.exe[6108] C:\Windows\system32\ole32.dll!CoCreateInstance + 4 000007fefd8c6d14 7 bytes [FF, CC, CC, CC, CC, CC, CC] .text C:\Windows\system32\taskeng.exe[6108] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd8db4f0 7 bytes JMP 000007fefce20260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076bca3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076bd3ef0 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076befff0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076bff3e0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076c29c70 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076c39700 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076c58aa0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce532f0 7 bytes JMP 000007fefce200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce5aa60 5 bytes JMP 000007fefce20180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce5ac00 5 bytes JMP 000007fefce20110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69ac0 5 bytes JMP 000007fefce20148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1c8830 8 bytes JMP 000007fefce201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1cb9e0 8 bytes JMP 000007fefce201b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd8c6d10 3 bytes JMP 000007fefce20228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\ole32.dll!CoCreateInstance + 4 000007fefd8c6d14 7 bytes [FF, CC, CC, CC, CC, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5832] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd8db4f0 7 bytes JMP 000007fefce20260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076bca3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076bd3ef0 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076befff0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076bff3e0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076c29c70 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076c39700 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076c58aa0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce532f0 7 bytes JMP 000007fefce200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce5aa60 5 bytes JMP 000007fefce20180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce5ac00 5 bytes JMP 000007fefce20110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69ac0 5 bytes JMP 000007fefce20148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1c8830 8 bytes JMP 000007fefce201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1cb9e0 8 bytes JMP 000007fefce201b8 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076921f0e 7 bytes JMP 00000000729e3c50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076925bad 7 bytes JMP 00000000729e4290 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076931431 7 bytes JMP 00000000729e3ea0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007693ea85 7 bytes JMP 00000000729e3c40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000769c906c 7 bytes JMP 00000000729e36c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000769c90f1 5 bytes JMP 00000000729e3770 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000769c9447 5 bytes JMP 00000000729e36d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075501e4c 5 bytes JMP 00000000729e3680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075501efa 5 bytes JMP 00000000729e3640 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502bdc 5 bytes JMP 00000000009d8c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075502e7e 5 bytes JMP 00000000729e3480 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076278a39 5 bytes JMP 00000000729e2b20 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076284582 5 bytes JMP 00000000729e3400 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007629e587 5 bytes JMP 00000000729e3470 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000762c08ab 5 bytes JMP 00000000729e2960 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000762d7b24 5 bytes JMP 00000000729e33e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000749de74f 3 bytes JMP 00000000729e2c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList + 4 00000000749de753 1 byte [FE] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000749de989 3 bytes JMP 00000000729e2c70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo + 4 00000000749de98d 1 byte [FE] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074c65e75 5 bytes JMP 00000000729e2ae0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074c99cbb 5 bytes JMP 00000000729e2a70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074dc1401 2 bytes JMP 7694b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074dc1419 2 bytes JMP 7694b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074dc1431 2 bytes JMP 769c90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074dc144a 2 bytes CALL 769248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074dc14dd 2 bytes JMP 769c89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074dc14f5 2 bytes JMP 769c8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074dc150d 2 bytes JMP 769c88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074dc1525 2 bytes JMP 769c8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074dc153d 2 bytes JMP 7693fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074dc1555 2 bytes JMP 76946937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074dc156d 2 bytes JMP 769c91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074dc1585 2 bytes JMP 769c8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074dc159d 2 bytes JMP 769c88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074dc15b5 2 bytes JMP 7693fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074dc15cd 2 bytes JMP 7694b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074dc16b2 2 bytes JMP 769c906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074dc16bd 2 bytes JMP 769c8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076921f0e 7 bytes JMP 00000000729e3c50 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076925bad 7 bytes JMP 00000000729e4290 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076931431 7 bytes JMP 00000000729e3ea0 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007693ea85 7 bytes JMP 00000000729e3c40 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000769c906c 7 bytes JMP 00000000729e36c0 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000769c90f1 5 bytes JMP 00000000729e3770 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000769c9447 5 bytes JMP 00000000729e36d0 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075501e4c 5 bytes JMP 00000000729e3680 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075501efa 5 bytes JMP 00000000729e3640 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502bdc 5 bytes JMP 00000000729e3780 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075502e7e 5 bytes JMP 00000000729e3480 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000749de74f 3 bytes JMP 00000000729e2c60 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList + 4 00000000749de753 1 byte [FE] .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000749de989 3 bytes JMP 00000000729e2c70 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo + 4 00000000749de98d 1 byte [FE] .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076284582 5 bytes JMP 00000000729e3400 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007629e587 5 bytes JMP 00000000729e3470 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000762c08ab 5 bytes JMP 00000000729e2960 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000762d7b24 5 bytes JMP 00000000729e33e0 .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000072a11003 2 bytes [A1, 72] .text C:\Users\WoŸniak\Desktop\gmer.exe[5372] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000072a11016 2 bytes [A1, 72] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\mfevtps.exe[2476] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fadb9a0] C:\Windows\system32\mfevtps.exe ---- Threads - GMER 2.2 ---- Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2532] 0000000077017ad8 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2548] 0000000077011697 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2624] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2628] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2632] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2636] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2640] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2644] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2648] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2652] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2656] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:2660] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3480] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3484] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3488] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3712] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3720] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3728] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3732] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3736] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3740] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3744] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3752] 0000000077017ad8 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3796] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:3140] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:1088] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:4560] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:6096] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:4952] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:5564] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:4348] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:4980] 00000000726429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2504:1988] 00000000726429e1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74e543121725 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74e543121725@ccfe3c60a66a 0x9B 0x45 0xDA 0x12 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74e543121725@e892a44a6e46 0x26 0xB2 0x0C 0xCA ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74e543121725@ccfa0000447b 0x21 0xF6 0xC2 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543121725 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543121725@ccfe3c60a66a 0x9B 0x45 0xDA 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543121725@e892a44a6e46 0x26 0xB2 0x0C 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543121725@ccfa0000447b 0x21 0xF6 0xC2 0xAA ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74e543121725 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74e543121725@ccfe3c60a66a 0x9B 0x45 0xDA 0x12 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74e543121725@e892a44a6e46 0x26 0xB2 0x0C 0xCA ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74e543121725@ccfa0000447b 0x21 0xF6 0xC2 0xAA ... ---- EOF - GMER 2.2 ----