Hier noch gmer.text
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2014-01-08 21:31:58
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB
Running: hdxldfvk.exe; Driver: C:\Users\Msi\AppData\Local\Temp\fxldypog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1408] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1408] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1512] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077b1fa38 5 bytes JMP 00000001754619e8
.text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1512] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b1ffc8 5 bytes JMP 000000017546209e
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2124] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2124] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE[3396] C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960 000000002d525984 4 bytes [2B, 3B, 5D, 68]
.text C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE[3396] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE[3396] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3828] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3828] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2000] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2000] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3644] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3644] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3576] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3576] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3696] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3696] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3296] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3296] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077b1f970 5 bytes JMP 0000000165fc6f86
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077b1f988 5 bytes JMP 0000000165fc741f
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077b1f9b8 5 bytes JMP 0000000165fc1027
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077b1f9d0 5 bytes JMP 0000000165fc08b2
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077b1fa20 5 bytes JMP 0000000165fc072c
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077b1fa38 5 bytes JMP 0000000165fc083a
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077b1fad0 5 bytes JMP 0000000165fc13d1
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b1fbc8 5 bytes JMP 0000000165fc53c5
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077b1fcdc 5 bytes JMP 0000000165fc06b4
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b1fcf4 5 bytes JMP 0000000165fc59b5
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077b1fd28 5 bytes JMP 0000000165fc4a3a
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077b1fdd4 5 bytes JMP 0000000165fc7001
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077b1fdec 5 bytes JMP 0000000165fc5b37
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b20044 5 bytes JMP 0000000165fc57ed
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b20154 5 bytes JMP 0000000165fc092a
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077b20974 5 bytes JMP 0000000165fc55e0
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077b2098c 5 bytes JMP 0000000165fbd7fa
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b209d4 5 bytes JMP 0000000165fbd8c8
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077b20b10 5 bytes JMP 0000000165fbd861
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077b20f00 5 bytes JMP 0000000165fc09a2
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b20f18 5 bytes JMP 0000000165fc0dff
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077b20fa8 5 bytes JMP 0000000165fc112f
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077b212cc 5 bytes JMP 0000000165fc5bc7
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077b2140c 5 bytes JMP 0000000165fc0d83
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077b214b8 5 bytes JMP 0000000165fc7397
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077b216a8 5 bytes JMP 0000000165fbdd06
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077b219e8 5 bytes JMP 0000000165fc07b4
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077b21b2c 5 bytes JMP 0000000165fc712e
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!CreateProcessW 000000007760102d 5 bytes JMP 0000000165f99bba
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000077601062 5 bytes JMP 0000000165f99cf8
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007762126f 5 bytes JMP 0000000165f99f2e
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!ReplaceFile 000000007762cb4c 5 bytes JMP 0000000165f97e04
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!ReplaceFileA 000000007767ed41 5 bytes JMP 0000000165f97d24
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 0000000077680347 5 bytes JMP 0000000165f9a851
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 00000000776803ef 5 bytes JMP 0000000165f9ab84
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!WinExec 0000000077682f19 5 bytes JMP 0000000165f9a3f3
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!AllocConsole 00000000776a68c6 5 bytes JMP 0000000165fc8595
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\kernel32.dll!AttachConsole 00000000776a698a 5 bytes JMP 0000000165fc85a7
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077512aa4 5 bytes JMP 0000000165f9ad8f
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000773d8b9a 5 bytes JMP 0000000165fc857d
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\USER32.dll!CreateWindowExA 00000000773da5e6 5 bytes JMP 0000000165fc8565
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\GDI32.dll!AddFontResourceW 0000000075cfd26a 5 bytes JMP 0000000165fa81eb
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\GDI32.dll!AddFontResourceA 0000000075cfd773 5 bytes JMP 0000000165fa81cf
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 00000000757d1ec8 7 bytes JMP 0000000165fab1d3
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 00000000757dbc43 7 bytes JMP 0000000165fac0f4
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 00000000757fdf7f 7 bytes JMP 0000000165fab87a
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000757fe03b 7 bytes JMP 0000000165faba2b
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 00000000757ff7be 7 bytes JMP 0000000165fac1ba
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000758114fd 5 bytes JMP 0000000165f9a070
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000075830276 7 bytes JMP 0000000165fab932
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000075830319 7 bytes JMP 0000000165fabae3
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000075830709 7 bytes JMP 0000000165fac036
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 00000000758307ec 7 bytes JMP 0000000165fab28a
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000075830909 5 bytes JMP 0000000165fabf78
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ControlService 00000000772a4d5c 3 bytes JMP 0000000165fab018
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ControlService + 4 00000000772a4d60 3 bytes [EE, CC, CC]
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000772a4dc3 7 bytes JMP 0000000165fab341
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000772a4e4b 7 bytes JMP 0000000165fab0a4
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000772a4eaf 7 bytes JMP 0000000165fab137
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!StartServiceW 00000000772a4f35 7 bytes JMP 0000000165faae93
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!StartServiceA 00000000772a508d 7 bytes JMP 0000000165faaf29
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000772a50f4 7 bytes JMP 0000000165fabe46
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000772a5181 3 bytes JMP 0000000165fabee2
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 4 00000000772a5185 3 bytes [EE, CC, CC]
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000772a5254 7 bytes JMP 0000000165fab542
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000772a53d5 7 bytes JMP 0000000165fab45d
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000772a54c2 7 bytes JMP 0000000165fab7e4
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000772a55e2 7 bytes JMP 0000000165fab74e
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000772a567c 7 bytes JMP 0000000165faac75
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000772a589f 7 bytes JMP 0000000165faab9f
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000772a5a22 7 bytes JMP 0000000165fab3cf
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000772a5a83 7 bytes JMP 0000000165fabc75
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000772a5b29 7 bytes JMP 0000000165fabbdc
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 00000000772a5ca0 7 bytes JMP 0000000165faa34f
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 00000000772a5d8c 7 bytes JMP 0000000165faa2d6
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000772a63ad 7 bytes JMP 0000000165faa89d
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000772a64f0 7 bytes JMP 0000000165faa929
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000772a6633 7 bytes JMP 0000000165fabdaa
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000772a680c 7 bytes JMP 0000000165fabd0e
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!OpenServiceW 00000000772a714b 7 bytes JMP 0000000165faaa12
.text C:\windows\system32\svchost.exe[4272] C:\windows\SysWOW64\sechost.dll!OpenServiceA 00000000772a7245 7 bytes JMP 0000000165faaa9e
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 0000000076cc3316 5 bytes JMP 0000000165fb196d
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076cce5f4 7 bytes JMP 0000000165fb1f3e
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!OleRun 0000000076ccf910 5 bytes JMP 0000000165fb1df9
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076cd121d 5 bytes JMP 0000000165fb2a6e
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076cd2a9d 5 bytes JMP 0000000165fb13ca
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!OleUninitialize 0000000076cde982 6 bytes JMP 0000000165fb1d18
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!OleInitialize 0000000076cdef3b 5 bytes JMP 0000000165fb1ca8
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoGetPSClsid 0000000076ce3b0f 5 bytes JMP 0000000165fb1ae5
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076cfa394 5 bytes JMP 0000000165fb2ffc
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoInitializeEx 0000000076d008cc 5 bytes JMP 0000000165fb1b58
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoUninitialize 0000000076d07197 5 bytes JMP 0000000165fb1bda
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076d1590c 5 bytes JMP 0000000165fb42ca
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076d1594f 5 bytes JMP 0000000165fb2405
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076d2b16d 7 bytes JMP 0000000165fb1e69
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076d8149a 5 bytes JMP 0000000165fb34bc
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076dccd0d 5 bytes JMP 0000000165fb1d83
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\OLEAUT32.dll!RegisterActiveObject 000000007758279e 5 bytes JMP 0000000165fb165d
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000077583294 5 bytes JMP 0000000165fb177e
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000077598f58 5 bytes JMP 0000000165fb17f1
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\windows\system32\svchost.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077b1f970 5 bytes JMP 0000000165fc6f86
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077b1f988 5 bytes JMP 0000000165fc741f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077b1f9b8 5 bytes JMP 0000000165fc1027
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077b1f9d0 5 bytes JMP 0000000165fc08b2
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077b1fa20 5 bytes JMP 0000000165fc072c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077b1fa38 5 bytes JMP 0000000165fc083a
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077b1fad0 5 bytes JMP 0000000165fc13d1
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b1fbc8 5 bytes JMP 0000000165fc53c5
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077b1fcdc 5 bytes JMP 0000000165fc06b4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b1fcf4 5 bytes JMP 0000000165fc59b5
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077b1fd28 5 bytes JMP 0000000165fc4a3a
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077b1fdd4 5 bytes JMP 0000000165fc7001
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077b1fdec 5 bytes JMP 0000000165fc5b37
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b20044 5 bytes JMP 0000000165fc57ed
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b20154 5 bytes JMP 0000000165fc092a
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077b20974 5 bytes JMP 0000000165fc55e0
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077b2098c 5 bytes JMP 0000000165fbd7fa
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b209d4 5 bytes JMP 0000000165fbd8c8
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077b20b10 5 bytes JMP 0000000165fbd861
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077b20f00 5 bytes JMP 0000000165fc09a2
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b20f18 5 bytes JMP 0000000165fc0dff
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077b20fa8 5 bytes JMP 0000000165fc112f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077b212cc 5 bytes JMP 0000000165fc5bc7
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077b2140c 5 bytes JMP 0000000165fc0d83
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077b214b8 5 bytes JMP 0000000165fc7397
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077b216a8 5 bytes JMP 0000000165fbdd06
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077b219e8 5 bytes JMP 0000000165fc07b4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077b21b2c 5 bytes JMP 0000000165fc712e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!CreateProcessW 000000007760102d 5 bytes JMP 0000000165f99bba
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000077601062 5 bytes JMP 0000000165f99cf8
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007762126f 5 bytes JMP 0000000165f99f2e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!ReplaceFile 000000007762cb4c 5 bytes JMP 0000000165f97e04
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!ReplaceFileA 000000007767ed41 5 bytes JMP 0000000165f97d24
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 0000000077680347 5 bytes JMP 0000000165f9a851
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 00000000776803ef 5 bytes JMP 0000000165f9ab84
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!WinExec 0000000077682f19 5 bytes JMP 0000000165f9a3f3
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!AllocConsole 00000000776a68c6 5 bytes JMP 0000000165fc8595
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\kernel32.dll!AttachConsole 00000000776a698a 5 bytes JMP 0000000165fc85a7
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077512aa4 5 bytes JMP 0000000165f9ad8f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000773d8b9a 5 bytes JMP 0000000165fc857d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\USER32.dll!CreateWindowExA 00000000773da5e6 5 bytes JMP 0000000165fc8565
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\GDI32.dll!AddFontResourceW 0000000075cfd26a 5 bytes JMP 0000000165fa81eb
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\GDI32.dll!AddFontResourceA 0000000075cfd773 5 bytes JMP 0000000165fa81cf
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 00000000757d1ec8 7 bytes JMP 0000000165fab1d3
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 00000000757dbc43 7 bytes JMP 0000000165fac0f4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 00000000757fdf7f 7 bytes JMP 0000000165fab87a
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000757fe03b 7 bytes JMP 0000000165faba2b
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 00000000757ff7be 7 bytes JMP 0000000165fac1ba
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000758114fd 5 bytes JMP 0000000165f9a070
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000075830276 7 bytes JMP 0000000165fab932
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000075830319 7 bytes JMP 0000000165fabae3
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000075830709 7 bytes JMP 0000000165fac036
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 00000000758307ec 7 bytes JMP 0000000165fab28a
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000075830909 5 bytes JMP 0000000165fabf78
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ControlService 00000000772a4d5c 3 bytes JMP 0000000165fab018
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ControlService + 4 00000000772a4d60 3 bytes [EE, CC, CC]
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000772a4dc3 7 bytes JMP 0000000165fab341
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000772a4e4b 7 bytes JMP 0000000165fab0a4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000772a4eaf 7 bytes JMP 0000000165fab137
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!StartServiceW 00000000772a4f35 7 bytes JMP 0000000165faae93
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!StartServiceA 00000000772a508d 7 bytes JMP 0000000165faaf29
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000772a50f4 7 bytes JMP 0000000165fabe46
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000772a5181 3 bytes JMP 0000000165fabee2
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 4 00000000772a5185 3 bytes [EE, CC, CC]
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000772a5254 7 bytes JMP 0000000165fab542
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000772a53d5 7 bytes JMP 0000000165fab45d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000772a54c2 7 bytes JMP 0000000165fab7e4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000772a55e2 7 bytes JMP 0000000165fab74e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000772a567c 7 bytes JMP 0000000165faac75
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000772a589f 7 bytes JMP 0000000165faab9f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000772a5a22 7 bytes JMP 0000000165fab3cf
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000772a5a83 7 bytes JMP 0000000165fabc75
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000772a5b29 7 bytes JMP 0000000165fabbdc
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 00000000772a5ca0 7 bytes JMP 0000000165faa34f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 00000000772a5d8c 7 bytes JMP 0000000165faa2d6
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000772a63ad 7 bytes JMP 0000000165faa89d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000772a64f0 7 bytes JMP 0000000165faa929
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000772a6633 7 bytes JMP 0000000165fabdaa
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000772a680c 7 bytes JMP 0000000165fabd0e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!OpenServiceW 00000000772a714b 7 bytes JMP 0000000165faaa12
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\SysWOW64\sechost.dll!OpenServiceA 00000000772a7245 7 bytes JMP 0000000165faaa9e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 0000000076cc3316 5 bytes JMP 0000000165fb196d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076cce5f4 7 bytes JMP 0000000165fb1f3e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!OleRun 0000000076ccf910 5 bytes JMP 0000000165fb1df9
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076cd121d 5 bytes JMP 0000000165fb2a6e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076cd2a9d 5 bytes JMP 0000000165fb13ca
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!OleUninitialize 0000000076cde982 6 bytes JMP 0000000165fb1d18
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!OleInitialize 0000000076cdef3b 5 bytes JMP 0000000165fb1ca8
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoGetPSClsid 0000000076ce3b0f 5 bytes JMP 0000000165fb1ae5
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076cfa394 5 bytes JMP 0000000165fb2ffc
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoInitializeEx 0000000076d008cc 5 bytes JMP 0000000165fb1b58
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoUninitialize 0000000076d07197 5 bytes JMP 0000000165fb1bda
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076d1590c 5 bytes JMP 0000000165fb42ca
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076d1594f 5 bytes JMP 0000000165fb2405
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076d2b16d 7 bytes JMP 0000000165fb1e69
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076d8149a 5 bytes JMP 0000000165fb34bc
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076dccd0d 5 bytes JMP 0000000165fb1d83
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\oleaut32.dll!RegisterActiveObject 000000007758279e 5 bytes JMP 0000000165fb165d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000077583294 5 bytes JMP 0000000165fb177e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4552] C:\windows\syswow64\oleaut32.dll!GetActiveObject 0000000077598f58 5 bytes JMP 0000000165fb17f1
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5400] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5400] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Lexware\LxWebAccess\LxWebAccess.exe[3504] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000775e1465 2 bytes [5E, 77]
.text C:\Program Files (x86)\Common Files\Lexware\LxWebAccess\LxWebAccess.exe[3504] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775e14bb 2 bytes [5E, 77]
.text ... * 2
---- Kernel IAT/EAT - GMER 2.1 ----
IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004b45ea4] \SystemRoot\system32\DRIVERS\klif.sys [PAGE]
---- Threads - GMER 2.1 ----
Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [184:1864] 00000000772a7587
Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [184:4232] 000000005c7c758a
Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [184:3324] 0000000077b52e3e
Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [184:5300] 0000000077b53e59
Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [184:5164] 0000000077b53e59
Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [184:3268] 0000000077b53e59
---- Processes - GMER 2.1 ----
Library Q:\140066.deu\Office14\MSOSYNC.EXE (*** suspicious ***) @ Q:\140066.deu\Office14\MSOSYNC.EXE [4272] 000000002df40000
Library Q:\140066.deu\Office14\1031\ospintl.dll (*** suspicious ***) @ Q:\140066.deu\Office14\MSOSYNC.EXE [4272] 0000000063ee0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\RICHED20.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\MSOSYNC.EXE [4272] 000000005eea0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSPTLS.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\MSOSYNC.EXE [4272] 000000005f3d0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\Csi.dll (*** suspicious ***) @ Q:\140066.deu\Office14\MSOSYNC.EXE [4272] 000000005d560000
---- EOF - GMER 2.1 ----
08.01.2014, 21:56
Hybrid-Darstellung
