GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-02 15:16:23 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 WDC_WD50 rev.01.0 465,76GB Running: hp048h9o.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pflyrkod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 2C, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 2F, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 2C, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 2D, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 2E, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 2D, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 2E, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 2C, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 2D, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 2E, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 2F, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[436] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 90, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 93, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 90, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 91, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 92, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 91, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 92, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 90, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 91, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 92, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 93, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[968] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 64, 46, 03] {SUB [ESI+EAX*2+0x3], AH} .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 67, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 64, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 65, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 66, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 65, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 66, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 64, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 65, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 66, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 67, 46, 03] .text C:\Program Files\Opera\25.0.1614.68\opera.exe[1292] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x8F 0x48 0x71 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x8F 0x48 0x71 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x8F 0x48 0x71 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x8F 0x48 0x71 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x8F 0x48 0x71 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x8F 0x48 0x71 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x9A 0xD0 0x7C ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x93 0x27 0x1F 0xD0 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB4 0x6B 0xB5 0x11 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x45 0xC9 0xBD 0xD9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{0e6181a9-ebf0-4ddb-949c-f71fb6ed8d8f}@Model 226 Reg HKLM\SOFTWARE\Classes\CLSID\{0e6181a9-ebf0-4ddb-949c-f71fb6ed8d8f}@Therad 30 Reg HKLM\SOFTWARE\Classes\CLSID\{0e6181a9-ebf0-4ddb-949c-f71fb6ed8d8f}@MData 0x2B 0x8F 0x78 0x29 ... Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x95 0xFB 0x70 0x7E ... ---- Files - GMER 2.1 ---- File C:\RECYCLER\S-1-5-21-842925246-2025429265-682008880-1013\com4\hidefiles\WinMend-Folder-Hidden\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\842925246-2025429265-HidePassword.ini 48 bytes File C:\RECYCLER\S-1-5-21-842925246-2025429265-682008880-1013\com4\hidefiles\WinMend-Folder-Hidden\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\S-1-5-21-HideFile.ini 2 bytes File C:\RECYCLER\S-1-5-21-842925246-2025429265-682008880-1013\com4\hidefiles\WinMend-Folder-Hidden\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\S-1-5-21-Showfile.ini 2 bytes ---- EOF - GMER 2.1 ----