GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-14 14:11:54 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-00REA0 rev.20.00K20 Running: jw9wsx2h.exe; Driver: C:\DOCUME~1\Artur\USTAWI~1\Temp\ugldapob.sys ---- System - GMER 1.0.15 ---- SSDT 88FC19A0 ZwAlertResumeThread SSDT 890F6D90 ZwAlertThread SSDT 89CE6260 ZwAllocateVirtualMemory SSDT 88D75990 ZwAssignProcessToJobObject SSDT 89154CD0 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB3BD2720] SSDT 88FA5950 ZwCreateMutant SSDT 88D6AB70 ZwCreateSymbolicLinkObject SSDT 897816F8 ZwCreateThread SSDT 88D57748 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB3BD29A0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB3BD2F00] SSDT 89A591D8 ZwDuplicateObject SSDT 899433D8 ZwFreeVirtualMemory SSDT 88FA7818 ZwImpersonateAnonymousToken SSDT 88FB1960 ZwImpersonateThread SSDT 89A91B48 ZwLoadDriver SSDT 89777260 ZwMapViewOfSection SSDT 88FF2998 ZwOpenEvent SSDT 8908AE88 ZwOpenProcess SSDT 898D5248 ZwOpenProcessToken SSDT 88FD4708 ZwOpenSection SSDT 89739A98 ZwOpenThread SSDT 88D9CB50 ZwProtectVirtualMemory SSDT 89015D08 ZwResumeThread SSDT 89C97720 ZwSetContextThread SSDT 89C86208 ZwSetInformationProcess SSDT 88FC79A0 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB3BD3150] SSDT 88FF27F0 ZwSuspendProcess SSDT 899D8650 ZwSuspendThread SSDT 898D5280 ZwTerminateProcess SSDT 89970008 ZwTerminateThread SSDT 89CE6228 ZwUnmapViewOfSection SSDT 89904E50 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6AF63A0, 0x5FE082, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 6F069BF1 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 6F0688D9 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 6F06552A C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 6F0686F6 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 6F064D8A C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 6F06504D C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtDuplicateObject 7C90D29E 5 Bytes JMP 6F069CC7 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtEnumerateKey 7C90D2CE 5 Bytes JMP 6F064E2E C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 6F064FA7 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtFlushKey 7C90D34E 5 Bytes JMP 6F064DDC C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtNotifyChangeKey 7C90D54E 5 Bytes JMP 6F0650FB C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtNotifyChangeMultipleKeys 7C90D55E 5 Bytes JMP 6F065189 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 6F068A64 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 6F06543B C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryAttributesFile 7C90D70E 5 Bytes JMP 6F068761 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 6F0675E6 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 6F0687D1 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryKey 7C90D85E 5 Bytes JMP 6F064E81 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 5 Bytes JMP 6F0650A8 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryObject 7C90D88E 5 Bytes JMP 6F069D1D C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQuerySecurityObject 7C90D8DE 5 Bytes JMP 6F069C61 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 6F064F54 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtRenameKey 7C90DA5E 5 Bytes JMP 6F06559F C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 6F068841 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtSetInformationKey 7C90DC7E 5 Bytes JMP 6F064EE7 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtSetSecurityObject 7C90DD2E 5 Bytes JMP 6F069D7A C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 6F064FFA C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 6F042E8C C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 6F042337 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 6F042475 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] kernel32.dll!SetDllDirectoryW 7C85FD19 5 Bytes JMP 6F043300 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] kernel32.dll!SetDllDirectoryA 7C85FDAF 5 Bytes JMP 6F043633 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 6F042A2E C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] GDI32.dll!AddFontResourceA 77F29415 5 Bytes JMP 6F050A98 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] GDI32.dll!AddFontResourceW 77F3FFAB 5 Bytes JMP 6F050AB4 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 7 Bytes JMP 6F053BB6 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceStatus 77DD6D50 7 Bytes JMP 6F053919 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!OpenSCManagerW 77DD6F55 7 Bytes JMP 6F053128 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!OpenServiceW 77DD6FFD 7 Bytes JMP 6F053297 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 6F0426AB C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!StartServiceA 77DDFB58 7 Bytes JMP 6F05379E C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceStatusEx 77DE120A 7 Bytes JMP 6F0539AC C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceConfigA 77DE1596 7 Bytes JMP 6F0544E1 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!StartServiceW 77DE3E94 7 Bytes JMP 6F053708 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!ControlService 77DE4A09 7 Bytes JMP 6F05388D C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!OpenServiceA 77DE4C66 7 Bytes JMP 6F053323 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!OpenSCManagerA 77DE69AE 7 Bytes JMP 6F0531B4 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!EnumServicesStatusA 77DE6B47 7 Bytes JMP 6F0548A2 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceConfigW 77DE6F92 7 Bytes JMP 6F054448 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 6F0427ED C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!EnumServicesStatusExW 77E269B8 7 Bytes JMP 6F054960 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!EnumServicesStatusExA 77E26C2F 7 Bytes JMP 6F054A26 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceObjectSecurity 77E26D01 7 Bytes JMP 6F0546B2 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 7 Bytes JMP 6F05474E C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 7 Bytes JMP 6F053DB7 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!ChangeServiceConfigW 77E27001 7 Bytes JMP 6F053CD2 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 7 Bytes JMP 6F054050 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 7 Bytes JMP 6F053FBA C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!CreateServiceA 77E27211 7 Bytes JMP 6F0534F7 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!CreateServiceW 77E273A9 7 Bytes JMP 6F053421 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!DeleteService 77E274B1 7 Bytes JMP 6F053C44 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!EnumDependentServicesA 77E27529 7 Bytes JMP 6F053AFF C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!EnumDependentServicesW 77E275E1 7 Bytes JMP 6F053A48 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!GetServiceDisplayNameA 77E27699 7 Bytes JMP 6F05434F C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!GetServiceDisplayNameW 77E27739 7 Bytes JMP 6F054297 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!GetServiceKeyNameA 77E277D9 7 Bytes JMP 6F05419E C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!GetServiceKeyNameW 77E27879 7 Bytes JMP 6F0540E6 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceConfig2A 77E27999 7 Bytes JMP 6F054616 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!QueryServiceConfig2W 77E27AB1 7 Bytes JMP 6F05457A C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ADVAPI32.dll!EnumServicesStatusW 77E27D61 5 Bytes JMP 6F0547E4 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 6F05AC12 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoCreateInstance 774EF1AC 1 Byte [E9] .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 6F05C8B0 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoUninitialize 774F133C 5 Bytes JMP 6F05A46B C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoInitializeEx 774F1473 5 Bytes JMP 6F05A3E9 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!OleInitialize 774F1BE2 5 Bytes JMP 6F05A539 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 6F05B5E2 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoRegisterClassObject 775079C0 5 Bytes JMP 6F05B27B C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoGetPSClsid 77509320 5 Bytes JMP 6F05A376 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoResumeClassObjects + 7 77516887 7 Bytes JMP 6F05A7CF C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoSuspendClassObjects + 7 77516912 7 Bytes JMP 6F05A6FA C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoRevokeClassObject 77519E38 5 Bytes JMP 6F059DE0 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!OleUninitialize 7752320F 6 Bytes JMP 6F05A5A9 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoGetInstanceFromFile 77530212 5 Bytes JMP 6F05BAA2 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!OleRun 775461F1 5 Bytes JMP 6F05A68A C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!CoRegisterPSClsid 7757CCA9 5 Bytes JMP 6F05A1FE C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[784] ole32.dll!OleRegEnumFormatEtc 775C476D 5 Bytes JMP 6F05A614 C:\WINDOWS\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device Sftfsxp.sys (Microsoft Application Virtualization File System/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) ---- EOF - GMER 1.0.15 ----