This is a very obscure persistence mechanism that affects VMWare Tools versions that utilize the vm3dum DLL (‘VMware SVGA 3D Usermode’):
- c:\Program Files\Common Files\VMware\Drivers\video_wddm\vm3dum.dll
When loaded (which happens e.g. when Internet Explorer is launched) the DLL checks the content of the following registry key:
- HKLM\SOFTWARE\VMware, Inc.\VMware Tools\Usermode\
AdapterShimPath=<path>
and loads library that the path points to.
There is also one more key:
- HKLM\SOFTWARE\VMware, Inc.\VMware Tools\Usermode\
ShimPath=<path>
but the condition for loading this DLL is not entirely clear to me.