GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-29 19:19:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AR1 465,76GB Running: yi6f2obx.exe; Driver: C:\Users\Agniecha\AppData\Local\Temp\pxddypog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033a6000 76 bytes [71, 20, 74, 0A, 41, C6, 41, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 605 fffff800033a604d 73 bytes {ADD EAX, [RAX]; MOV R9, [RSP+0x28]; JMP 0xc} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007765efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776899b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000776994d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077699640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000776ba500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd7a0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7a00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd7a0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd7a0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7a01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff837490 11 bytes JMP 000007fffd7a0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff84bf00 7 bytes JMP 000007fffd7a0260 .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPService.exe[1908] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075991465 2 bytes [99, 75] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPService.exe[1908] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759914bb 2 bytes [99, 75] .text ... * 2 .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPProcess.exe[2024] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075991465 2 bytes [99, 75] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPProcess.exe[2024] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759914bb 2 bytes [99, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2824] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075991465 2 bytes [99, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2824] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759914bb 2 bytes [99, 75] .text ... * 2 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd7a0180 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7a00d8 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd7a0148 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd7a0110 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7a01f0 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7a01b8 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\dxgi.dll!CreateDXGIFactory 000007fef8cbdc88 5 bytes JMP 000007fff8c900d8 .text C:\windows\system32\Dwm.exe[3856] C:\windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef8cbde10 5 bytes JMP 000007fff8c90110 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd7a0180 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7a00d8 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd7a0148 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd7a0110 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7a01f0 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7a01b8 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff837490 11 bytes JMP 000007fffd7a0228 .text C:\windows\system32\taskeng.exe[3904] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff84bf00 7 bytes JMP 000007fffd7a0260 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007765efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776899b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000776994d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077699640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000776ba500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd740180 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7400d8 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd740148 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd740110 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff837490 11 bytes JMP 000007fffd740228 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff84bf00 7 bytes JMP 000007fffd740260 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7401f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3324] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7401b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007765efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776899b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000776994d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077699640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000776ba500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd740180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7400d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd740148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd740110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7401f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3348] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7401b8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007749e96b 5 bytes JMP 0000000170a015d7 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007749eba5 5 bytes JMP 0000000170a011b8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000170a01050 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077294572 5 bytes JMP 0000000170a010d2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075515ea5 5 bytes JMP 0000000170a01609 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3556] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000170a01249 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007765efe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776899b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000776994d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077699640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000776ba500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd7a0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7a00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd7a0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd7a0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1732] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7a01b8 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd7a0180 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7a00d8 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd7a0148 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd7a0110 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7a01f0 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7a01b8 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff837490 11 bytes JMP 000007fffd7a0228 .text C:\windows\system32\taskeng.exe[4180] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff84bf00 7 bytes JMP 000007fffd7a0260 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[4236] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[4236] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[4236] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[4236] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[4236] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[4248] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[4248] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[4248] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[4248] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[4248] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe[4260] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe[4260] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe[4260] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe[4260] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe[4260] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2116] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075991465 2 bytes [99, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2116] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759914bb 2 bytes [99, 75] .text ... * 2 .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Users\Agniecha\AppData\Local\Akamai\netsession_win.exe[2780] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4140] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075991465 2 bytes [99, 75] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4140] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759914bb 2 bytes [99, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000170a01050 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077294572 5 bytes JMP 0000000170a010d2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007749e96b 5 bytes JMP 0000000170a015d7 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007749eba5 5 bytes JMP 0000000170a011b8 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075515ea5 5 bytes JMP 0000000170a01609 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5112] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000170a01249 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2744] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2744] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2744] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2744] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960 000000002deb5984 4 bytes [E5, 87, 94, E2] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075515ea5 5 bytes JMP 0000000170a01609 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000170a01249 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007749e96b 5 bytes JMP 0000000170a015d7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007749eba5 5 bytes JMP 0000000170a011b8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000170a01050 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077294572 5 bytes JMP 0000000170a010d2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075991465 2 bytes [99, 75] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[1044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759914bb 2 bytes [99, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077a3f9e0 5 bytes JMP 000000016dc26f86 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077a3f9f8 5 bytes JMP 000000016dc2741f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077a3fa28 5 bytes JMP 000000016dc21027 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077a3fa40 5 bytes JMP 000000016dc208b2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077a3fa90 5 bytes JMP 000000016dc2072c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077a3faa8 5 bytes JMP 000000016dc2083a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077a3fb40 5 bytes JMP 000000016dc213d1 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077a3fc38 5 bytes JMP 000000016dc253c5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077a3fd4c 5 bytes JMP 000000016dc206b4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a3fd64 5 bytes JMP 000000016dc259b5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077a3fd98 5 bytes JMP 000000016dc24a3a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077a3fe44 5 bytes JMP 000000016dc27001 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077a3fe5c 5 bytes JMP 000000016dc25b37 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a400b4 5 bytes JMP 000000016dc257ed .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077a401c4 5 bytes JMP 000000016dc2092a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077a409e4 5 bytes JMP 000000016dc255e0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077a409fc 5 bytes JMP 000000016dc1d7fa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077a40a44 5 bytes JMP 000000016dc1d8c8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077a40b80 5 bytes JMP 000000016dc1d861 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077a40f70 5 bytes JMP 000000016dc209a2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a40f88 5 bytes JMP 000000016dc20dff .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077a41018 5 bytes JMP 000000016dc2112f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077a4133c 5 bytes JMP 000000016dc25bc7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077a4147c 5 bytes JMP 000000016dc20d83 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077a41528 5 bytes JMP 000000016dc27397 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077a41718 5 bytes JMP 000000016dc1dd06 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077a41a58 5 bytes JMP 000000016dc207b4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077a41b9c 5 bytes JMP 000000016dc2712e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075f4103d 5 bytes JMP 000000016dbf9bba .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075f41072 5 bytes JMP 000000016dbf9cf8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!ReplaceFile 0000000075f60dac 5 bytes JMP 000000016dbf7e04 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075f6c965 5 bytes JMP 000000016dbf9f2e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!ReplaceFileA 0000000075fbeab9 5 bytes JMP 000000016dbf7d24 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 0000000075fc0083 5 bytes JMP 000000016dbfa851 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000075fc012b 5 bytes JMP 000000016dbfab84 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!WinExec 0000000075fc2c51 5 bytes JMP 000000016dbfa3f3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!AllocConsole 0000000075fe6afe 5 bytes JMP 000000016dc28595 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!AttachConsole 0000000075fe6bc2 5 bytes JMP 000000016dc285a7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000170a01050 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\USER32.dll!CreateWindowExA 000000007728d22e 5 bytes JMP 000000016dc28565 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077294572 5 bytes JMP 0000000170a010d2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007749e96b 5 bytes JMP 0000000170a015d7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007749eba5 5 bytes JMP 0000000170a011b8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\GDI32.dll!AddFontResourceW 00000000774ad3c2 5 bytes JMP 000000016dc081eb .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\GDI32.dll!AddFontResourceA 00000000774ad8cb 1 byte JMP 000000016dc081cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\GDI32.dll!AddFontResourceA + 2 00000000774ad8cd 3 bytes {JMP 0xfffffffff675a904} .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000075af1e3a 7 bytes JMP 000000016dc0b1d3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 0000000075afb406 7 bytes JMP 000000016dc0c0f4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 0000000075b17897 7 bytes JMP 000000016dc0b87a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 0000000075b17953 7 bytes JMP 000000016dc0ba2b .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 0000000075b1a37a 7 bytes JMP 000000016dc0c1ba .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b32642 5 bytes JMP 000000016dbfa070 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000075b51d74 7 bytes JMP 000000016dc0b932 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000075b51e11 7 bytes JMP 000000016dc0bae3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000075b52201 7 bytes JMP 000000016dc0c036 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000075b522e4 7 bytes JMP 000000016dc0b28a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000075b52401 5 bytes JMP 000000016dc0bf78 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ControlService 0000000077384d5c 7 bytes JMP 000000016dc0b018 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000077384dc3 7 bytes JMP 000000016dc0b341 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 0000000077384e4b 7 bytes JMP 000000016dc0b0a4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 0000000077384eaf 7 bytes JMP 000000016dc0b137 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!StartServiceW 0000000077384f35 7 bytes JMP 000000016dc0ae93 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!StartServiceA 000000007738508d 7 bytes JMP 000000016dc0af29 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000773850f4 7 bytes JMP 000000016dc0be46 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077385181 7 bytes JMP 000000016dc0bee2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077385254 7 bytes JMP 000000016dc0b542 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000773853d5 7 bytes JMP 000000016dc0b45d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000773854c2 7 bytes JMP 000000016dc0b7e4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000773855e2 7 bytes JMP 000000016dc0b74e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007738567c 7 bytes JMP 000000016dc0ac75 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007738589f 7 bytes JMP 000000016dc0ab9f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000077385a22 7 bytes JMP 000000016dc0b3cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 0000000077385a83 7 bytes JMP 000000016dc0bc75 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 0000000077385b29 7 bytes JMP 000000016dc0bbdc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 0000000077385ca0 7 bytes JMP 000000016dc0a34f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 0000000077385d8c 7 bytes JMP 000000016dc0a2d6 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000773863ad 7 bytes JMP 000000016dc0a89d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000773864f0 7 bytes JMP 000000016dc0a929 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 0000000077386633 7 bytes JMP 000000016dc0bdaa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 000000007738680c 7 bytes JMP 000000016dc0bd0e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!OpenServiceW 000000007738714b 7 bytes JMP 000000016dc0aa12 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\SysWOW64\sechost.dll!OpenServiceA 0000000077387245 7 bytes JMP 000000016dc0aa9e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007550c56e 5 bytes JMP 000000016dc1196d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007550ea09 7 bytes JMP 000000016dc11f3e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!OleRun 00000000755107de 5 bytes JMP 000000016dc11df9 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000755121e1 5 bytes JMP 000000016dc12a6e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075515ea5 5 bytes JMP 0000000170a01609 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!OleUninitialize 000000007551eba1 6 bytes JMP 000000016dc11d18 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!OleInitialize 000000007551efd7 5 bytes JMP 000000016dc11ca8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoGetPSClsid 00000000755226b9 5 bytes JMP 000000016dc11ae5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000755354ad 5 bytes JMP 000000016dc12ffc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000755409ad 5 bytes JMP 000000016dc11b58 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000755486d3 5 bytes JMP 000000016dc11bda .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000170a01249 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075549d4e 5 bytes JMP 000000016dc12405 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007556bb09 7 bytes JMP 000000016dc11e69 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007558eacf 5 bytes JMP 000000016dc113ca .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000755c340b 5 bytes JMP 000000016dc134bc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007560cfd9 5 bytes JMP 000000016dc11d83 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000075bd279e 5 bytes JMP 000000016dc1165d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000075bd3294 5 bytes JMP 000000016dc1177e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5860] C:\windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000075be8f40 5 bytes JMP 000000016dc117f1 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7b2db0 5 bytes JMP 000007fffd7a0180 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7b37d0 7 bytes JMP 000007fffd7a00d8 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7b8ef0 6 bytes JMP 000007fffd7a0148 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7caf60 5 bytes JMP 000007fffd7a0110 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff837490 11 bytes JMP 000007fffd7a0228 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff84bf00 7 bytes JMP 000007fffd7a0260 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf189e0 8 bytes JMP 000007fffd7a01f0 .text C:\windows\system32\DllHost.exe[4940] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf1be40 8 bytes JMP 000007fffd7a01b8 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000075f513e1 7 bytes JMP 0000000170a012ad .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075f6b1d3 5 bytes JMP 0000000170a015be .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075fe88b4 7 bytes JMP 0000000170a01357 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075fe8939 5 bytes JMP 0000000170a016e0 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075fe8c8f 5 bytes JMP 0000000170a01028 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000770f1d1b 5 bytes JMP 0000000170a011ef .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000770f1dc9 5 bytes JMP 0000000170a01023 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000770f2aa4 5 bytes JMP 0000000170a0156e .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000770f2d0a 5 bytes JMP 0000000170a01294 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007749e96b 5 bytes JMP 0000000170a015d7 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007749eba5 5 bytes JMP 0000000170a011b8 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000170a01050 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077294572 5 bytes JMP 0000000170a010d2 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075515ea5 5 bytes JMP 0000000170a01609 .text C:\Users\Agniecha\Downloads\yi6f2obx.exe[1612] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000170a01249 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532e003e75 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f59338f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca9719afa82 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\88532e003e75 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f59338f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca9719afa82 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Agniecha\AppData\Local\Temp\JREInstall\x3031\x3237.exe 1 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----