GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-15 07:40:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GS00 596,17GB Running: x5y40rdx.exe; Driver: C:\Users\test\AppData\Local\Temp\kgldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076851401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076851419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076851431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007685144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768514dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768514f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007685150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076851525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007685153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076851555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007685156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076851585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007685159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768515b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768515cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768516b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768516bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 000000016e6f6f86 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 00000000770df9f8 5 bytes JMP 000000016e6f741f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000770dfa28 5 bytes JMP 000000016e6f1027 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000770dfa40 5 bytes JMP 000000016e6f08b2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000770dfa90 5 bytes JMP 000000016e6f072c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000770dfaa8 5 bytes JMP 000000016e6f083a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000770dfb40 5 bytes JMP 000000016e6f13d1 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000770dfc38 5 bytes JMP 000000016e6f53c5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000770dfd4c 5 bytes JMP 000000016e6f06b4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000770dfd64 5 bytes JMP 000000016e6f59b5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000770dfd98 5 bytes JMP 000000016e6f4a3a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 000000016e6f7001 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000770dfe5c 5 bytes JMP 000000016e6f5b37 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 000000016e6f57ed .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 000000016e6f092a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000770e09e4 5 bytes JMP 000000016e6f55e0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000770e09fc 5 bytes JMP 000000016e6ed7fa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000770e0a44 5 bytes JMP 000000016e6ed8c8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000770e0b80 5 bytes JMP 000000016e6ed861 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000770e0f70 5 bytes JMP 000000016e6f09a2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770e0f88 5 bytes JMP 000000016e6f0dff .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000770e1018 5 bytes JMP 000000016e6f112f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000770e133c 5 bytes JMP 000000016e6f5bc7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000770e147c 5 bytes JMP 000000016e6f0d83 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000770e1528 5 bytes JMP 000000016e6f7397 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000770e1718 5 bytes JMP 000000016e6edd06 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000770e1a58 5 bytes JMP 000000016e6f07b4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000770e1b9c 5 bytes JMP 000000016e6f712e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074d7103d 5 bytes JMP 000000016e6c9bba .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074d71072 5 bytes JMP 000000016e6c9cf8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!ReplaceFile 0000000074d90de4 5 bytes JMP 000000016e6c7e04 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074d9c9b5 5 bytes JMP 000000016e6c9f2e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!ReplaceFileA 0000000074deeef1 5 bytes JMP 000000016e6c7d24 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW 0000000074df0423 5 bytes JMP 000000016e6ca851 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000074df04cb 5 bytes JMP 000000016e6cab84 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074df2ff1 5 bytes JMP 000000016e6ca3f3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!AllocConsole 0000000074e1705e 5 bytes JMP 000000016e6f8595 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\kernel32.dll!AttachConsole 0000000074e17122 5 bytes JMP 000000016e6f85a7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762ab1 5 bytes JMP 000000016e6cad8f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000750d8a29 5 bytes JMP 000000016e6f857d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000750dd22e 5 bytes JMP 000000016e6f8565 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 000000007665d40a 5 bytes JMP 000000016e6d81eb .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\GDI32.dll!AddFontResourceA 000000007665d913 5 bytes JMP 000000016e6d81cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 00000000752c1e3a 7 bytes JMP 000000016e6db1d3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 00000000752cb406 7 bytes JMP 000000016e6dc0f4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 00000000752e7897 7 bytes JMP 000000016e6db87a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000752e7953 7 bytes JMP 000000016e6dba2b .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 00000000752ea37a 7 bytes JMP 000000016e6dc1ba .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075302642 5 bytes JMP 000000016e6ca070 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000075321d74 7 bytes JMP 000000016e6db932 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000075321e11 7 bytes JMP 000000016e6dbae3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000075322201 7 bytes JMP 000000016e6dc036 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 00000000753222e4 7 bytes JMP 000000016e6db28a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000075322401 5 bytes JMP 000000016e6dbf78 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075264d5c 7 bytes JMP 000000016e6db018 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075264dc3 7 bytes JMP 000000016e6db341 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus 0000000075264e4b 7 bytes JMP 000000016e6db0a4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx 0000000075264eaf 7 bytes JMP 000000016e6db137 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075264f35 7 bytes JMP 000000016e6dae93 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!StartServiceA 000000007526508d 7 bytes JMP 000000016e6daf29 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000752650f4 7 bytes JMP 000000016e6dbe46 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075265181 7 bytes JMP 000000016e6dbee2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075265254 7 bytes JMP 000000016e6db542 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000752653d5 7 bytes JMP 000000016e6db45d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000752654c2 7 bytes JMP 000000016e6db7e4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000752655e2 7 bytes JMP 000000016e6db74e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007526567c 7 bytes JMP 000000016e6dac75 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007526589f 7 bytes JMP 000000016e6dab9f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075265a22 7 bytes JMP 000000016e6db3cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA 0000000075265a83 7 bytes JMP 000000016e6dbc75 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW 0000000075265b29 7 bytes JMP 000000016e6dbbdc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA 0000000075265ca0 7 bytes JMP 000000016e6da34f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW 0000000075265d8c 7 bytes JMP 000000016e6da2d6 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000752663ad 7 bytes JMP 000000016e6da89d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000752664f0 7 bytes JMP 000000016e6da929 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A 0000000075266633 7 bytes JMP 000000016e6dbdaa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W 000000007526680c 7 bytes JMP 000000016e6dbd0e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007526714b 7 bytes JMP 000000016e6daa12 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075267245 7 bytes JMP 000000016e6daa9e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid 00000000753bc56e 5 bytes JMP 000000016e6e196d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 00000000753bea09 7 bytes JMP 000000016e6e1f3e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!OleRun 00000000753c07de 5 bytes JMP 000000016e6e1df9 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 00000000753c21e1 5 bytes JMP 000000016e6e2a6e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!OleUninitialize 00000000753ceba1 6 bytes JMP 000000016e6e1d18 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!OleInitialize 00000000753cefd7 5 bytes JMP 000000016e6e1ca8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoGetPSClsid 00000000753d26b9 5 bytes JMP 000000016e6e1ae5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000753e54ad 5 bytes JMP 000000016e6e2ffc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoInitializeEx 00000000753f09ad 5 bytes JMP 000000016e6e1b58 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoUninitialize 00000000753f86d3 5 bytes JMP 000000016e6e1bda .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000753f9d0b 5 bytes JMP 000000016e6e42ca .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000753f9d4e 5 bytes JMP 000000016e6e2405 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007541bb09 7 bytes JMP 000000016e6e1e69 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 000000007543eacf 5 bytes JMP 000000016e6e13ca .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 000000007547340b 5 bytes JMP 000000016e6e34bc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[8496] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 00000000754bcfd9 5 bytes JMP 000000016e6e1d83 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[2220] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f83bbb0] C:\Windows\system32\mfevtps.exe ---- Files - GMER 2.1 ---- File C:\Users\test\AppData\Local\Mozilla\Firefox\Profiles\4lbbd7gp.default\cache2\entries\F8D17650512CF50906599A0AE6888F032F8919FA 268 bytes File C:\Windows\winsxs\amd64_microsoft-windows-ie-ratings_31bf3856ad364e35_11.2.9600.17728_none_a9c8e38471e1bd67 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-ie-ratings_31bf3856ad364e35_11.2.9600.17728_none_a9c8e38471e1bd67\icrav03.rat 8798 bytes File C:\Windows\winsxs\amd64_microsoft-windows-ie-ratings_31bf3856ad364e35_11.2.9600.17728_none_a9c8e38471e1bd67\ticrf.rat 1988 bytes ---- EOF - GMER 2.1 ----