GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-19 02:30:44 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: gmer.exe; Driver: C:\Users\Admin\AppData\Local\Temp\kwliapog.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb9205a9c0 10 bytes JMP 00007ffb900d0420 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb9206fb60 5 bytes JMP 00007ffb900d03b0 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffb920738e0 7 bytes JMP 00007ffb900d0458 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb92073ac0 5 bytes JMP 00007ffb900d03e8 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb920752d0 9 bytes JMP 00007ffb900d0378 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\combase.dll!CoCreateInstance 00007ffb92d37000 5 bytes JMP 00007ffb900d0768 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1208] C:\WINDOWS\system32\combase.dll!CoSetProxyBlanket 00007ffb92d5e400 7 bytes JMP 00007ffb900d07a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\WINDOWS\system32\taskhostw.exe[4944] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\WINDOWS\system32\sihost.exe[5020] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5648] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb9205a9c0 10 bytes JMP 00007ffb8faa0420 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb9206fb60 5 bytes JMP 00007ffb8faa03b0 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffb920738e0 7 bytes JMP 00007ffb8faa0458 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb92073ac0 5 bytes JMP 00007ffb8faa03e8 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb920752d0 9 bytes JMP 00007ffb8faa0378 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\combase.dll!CoCreateInstance 00007ffb92d37000 5 bytes JMP 00007ffb8faa0500 .text C:\WINDOWS\system32\igfxEM.exe[4216] C:\WINDOWS\system32\combase.dll!CoSetProxyBlanket 00007ffb92d5e400 7 bytes JMP 00007ffb8faa0538 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb9205a9c0 10 bytes JMP 00007ffb900d0420 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb9206fb60 5 bytes JMP 00007ffb900d03b0 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffb920738e0 7 bytes JMP 00007ffb900d0458 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb92073ac0 5 bytes JMP 00007ffb900d03e8 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb920752d0 9 bytes JMP 00007ffb900d0378 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\combase.dll!CoCreateInstance 00007ffb92d37000 5 bytes JMP 00007ffb900d0500 .text C:\WINDOWS\system32\igfxHK.exe[6160] C:\WINDOWS\system32\combase.dll!CoSetProxyBlanket 00007ffb92d5e400 7 bytes JMP 00007ffb900d0538 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[6292] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffb92940d80 5 bytes [90, 33, C0, 90, C3] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[6512] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6540] entry point in ".rdata" section 00000000719d0350 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6540] entry point in ".rdata" section 0000000071765630 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6756] entry point in ".rdata" section 00000000719d0350 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6756] entry point in ".rdata" section 000000006f028fa0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6756] entry point in ".rdata" section 0000000071765630 ? C:\Windows\SYSTEM32\ActXPrxy.dll [6756] entry point in ".rdata" section 0000000066b4a7a0 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\Windows\System32\InstallAgent.exe[7036] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6676] entry point in ".rdata" section 000000006f028fa0 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory 00007ffb8b4e5de0 5 bytes JMP 00007ffb8b4d00d8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[7152] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory1 00007ffb8b4e6180 5 bytes JMP 00007ffb8b4d0110 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2896] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7440] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9Ex 00007ffb6f666070 5 bytes JMP 00007ffb8faa0810 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9 00007ffb6f66f240 6 bytes JMP 00007ffb8faa07d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory 00007ffb8b4e5de0 5 bytes JMP 00007ffb8b3a00d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1712] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory1 00007ffb8b4e6180 5 bytes JMP 00007ffb8b3a0110 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6600] entry point in ".rdata" section 00000000719d0350 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\WINDOWS\system32\DllHost.exe[260] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb900d0298 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb900d0340 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb900d0260 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb900d02d0 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb900d01f0 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb900d0228 .text C:\WINDOWS\system32\taskhostw.exe[2864] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb900d0308 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb9293ecb0 7 bytes JMP 00007ffb8faa0298 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb92942900 7 bytes JMP 00007ffb8faa0340 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb92942da0 7 bytes JMP 00007ffb8faa0260 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb929440c0 7 bytes JMP 00007ffb8faa02d0 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb92962d30 7 bytes JMP 00007ffb8faa01f0 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb92962d90 7 bytes JMP 00007ffb8faa0228 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb929632e0 7 bytes JMP 00007ffb8faa0308 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\combase.dll!CoCreateInstance 00007ffb92d37000 5 bytes JMP 00007ffb8faa0768 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\combase.dll!CoSetProxyBlanket 00007ffb92d5e400 7 bytes JMP 00007ffb8faa07a0 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb9205a9c0 10 bytes JMP 00007ffb8faa0420 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb9206fb60 5 bytes JMP 00007ffb8faa03b0 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffb920738e0 7 bytes JMP 00007ffb8faa0458 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb92073ac0 5 bytes JMP 00007ffb8faa03e8 .text C:\Program Files\WinRAR\WinRAR.exe[3152] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb920752d0 9 bytes JMP 00007ffb8faa0378 ? C:\WINDOWS\system32\apphelp.dll [4756] entry point in ".rdata" section 0000000073340ab0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffb9239002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6952] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffb65fb2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffb9239002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7764] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffb65fb2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffb9239002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5560] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffb65fb2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffb9239002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffb9239006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffb923a002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7196] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffb65fb2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [596:640] fffff96005d77300 Thread C:\WINDOWS\system32\svchost.exe [508:476] 00007ffb820ccf50 Thread C:\WINDOWS\system32\svchost.exe [508:480] 00007ffb820ccf30 Thread C:\WINDOWS\system32\dashost.exe [1192:608] 00007ffb840933d0 Thread C:\WINDOWS\system32\svchost.exe [2464:2564] 00007ffb83e76160 Thread C:\WINDOWS\system32\svchost.exe [2464:2588] 00007ffb83e51010 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5496:5576] 00007ffb7e6f7944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5496:5580] 00007ffb7e5bbeb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5496:5836] 00007ffb7e5bbeb4 Thread [6140:7228] 00000000778445b0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x4A 0x1F 0xC6 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x36 0x85 0x25 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x1A 0xFC 0xCF 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xBE 0xE7 0x27 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 21 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMO15A70_1F_07DA_95^E31A9EA2CA573A9B957AE374289AD020@Timestamp 0xFC 0x2F 0xA4 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 752 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@DCSettingIndex 3600 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@ACSettingIndex 3600 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment@Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\MATLAB\R2014b\runtime\win64;C:\Program Files\MATLAB\R2014b\bin;C:\Program Files\MATLAB\R2014b\polyspace\bin Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -340810102 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 6a22140f-7be7-41d8-961d-ed20ef9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{75bc78d2-9595-45ce-863c-5414465eb29e} Reg HKLM\SYSTEM\CurrentControlSet\Services\BthLEEnum\Parameters\Wdf@TimeOfLastTelemetryLog 0x2E 0x70 0x50 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\24fd529e0b87 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\24fd529e0b87@fc64ba522c78 0x09 0xD6 0xEA 0x62 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0xA2 0x76 0x7A 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x95 0x79 0x3D 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{fed24df1-524c-452f-af77-e9bcde8aa203}@LastProbeTime 1487172255 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x67 0x64 0x68 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x2E 0x29 0x6D 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iwdbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x4B 0xF9 0x73 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0xB2 0x30 0xD1 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xAD 0xBE 0x73 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pt.?, ?lut ?17 ?17, 06:15:07?????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1655 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 961 Reg HKLM\SYSTEM\CurrentControlSet\Services\SmbDrvI\Parameters\Wdf@TimeOfLastTelemetryLog 0x53 0x7C 0x77 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 21 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1828 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastTelemetryLog 0x2E 0x29 0x6D 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45c35913-77e4-420d-aed5-366af1556f38}@LeaseObtainedTime 1487462432 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45c35913-77e4-420d-aed5-366af1556f38}@T1 1487592032 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45c35913-77e4-420d-aed5-366af1556f38}@T2 1487689232 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45c35913-77e4-420d-aed5-366af1556f38}@LeaseTerminatesTime 1487721632 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x95 0x79 0x3D 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0xA0 0xA7 0x4E 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xA5 0x8C 0x50 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0x67 0x64 0x68 0x12 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... ---- Files - GMER 2.2 ---- File C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\etilqs_E3vIa4kcuPOSFgo (size mismatch) 3612/0 bytes executable ---- EOF - GMER 2.2 ----