GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-08 23:10:49 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST9160827AS rev.3.AAA 149,05GB Running: gmer.exe; Driver: C:\DOCUME~1\ANIAKW~1\USTAWI~1\Temp\pxtdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB63C1BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB63C2684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB6406D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB63CE6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB63CE744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB63CE8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB6406734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB63CE666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB63CE788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB63CE6AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB63C2BBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB63CE898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB63C3472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB63C1C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB6407446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB64076FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB63C6C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB64072B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB640711C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB63C17F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB67E7E28] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB63C1C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB63C705E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB63C3F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB63CE722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB63CE766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB63CE902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB6406A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB63CE68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB63C6560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB63CE816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB63CE6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB63C694C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB63CE8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB67E7BCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB6406F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB63C3DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB6406DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB63C3924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB67F5D88] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB6405D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB63C1CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB63C1D3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB63C32EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB63C1892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB63C1A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB640754D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB63C19F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB63C363C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB63C379E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB63C1AEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB63C312A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB63C32CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB63C1DA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB63C26E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D20 80504608 4 Bytes CALL D6E4FC49 .text ntkrnlpa.exe!ZwCallbackReturn + 2E5C 80504744 4 Bytes JMP D86AFD85 .text ntkrnlpa.exe!ZwCallbackReturn + 2E7C 80504764 8 Bytes [16, E8, 3C, B6, D6, E6, 3C, ...] {PUSH SS; CALL 0xe6d6b642; CMP AL, 0xb6} .text ntkrnlpa.exe!ZwCallbackReturn + 2E94 8050477C 4 Bytes CALL DEF4FDBD .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, 6D, 40, B6] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL B63C462B \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB915C360, 0x322F4D, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\CardDetector\HUAWEI177\CardDetector.exe[136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\CardDetector\HUAWEI177\CardDetector.exe[136] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[260] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[408] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[408] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[428] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[428] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[580] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[580] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[596] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[684] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[684] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text c:\PROGRA~1\AVG\AVG2014\avgrsx.exe[736] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgcsrvx.exe[772] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[984] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[984] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1020] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1020] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1064] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1076] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\CCleaner\CCleaner.exe[1356] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\CCleaner\CCleaner.exe[1356] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1360] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1360] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1396] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1396] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1432] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1432] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\DOCUME~1\ANIAKW~1\USTAWI~1\Temp\Rar$EXa0.088\gmer.exe[1496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\DOCUME~1\ANIAKW~1\USTAWI~1\Temp\Rar$EXa0.088\gmer.exe[1496] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe[1556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe[1556] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1568] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1568] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1720] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1860] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1860] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[1872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[1872] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgui.exe[1904] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgui.exe[1904] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1960] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1960] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[2024] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[2024] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[2032] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[2032] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[2328] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[2328] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2488] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2488] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2528] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2528] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2528] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 28, 2B, 00] {SUB [EAX], CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 2B, 2B, 00] {SUB [EBX], CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 28, 2B, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 29, 2B, 00] {TEST AL, 0x29; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B910142 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 2A, 2B, 00] {TEST AL, 0x2a; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 29, 2B, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 2A, 2B, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B9101B3 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 28, 2B, 00] {TEST AL, 0x28; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9102E1 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 29, 2B, 00] {SUB [ECX], CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 2A, 2B, 00] {SUB [EDX], CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 2B, 2B, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 038701F8 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 038703FC .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2740] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2820] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2820] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2836] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, C4, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, C7, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, C4, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, C5, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, C6, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, C5, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, C6, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, C4, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, C5, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, C6, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, C7, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 039D01F8 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 039D03FC .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2872] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 78, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 7B, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 78, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 79, 20, 00] {TEST AL, 0x79; AND [EAX], AL} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F692 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 7A, 20, 00] {TEST AL, 0x7a; AND [EAX], AL} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 79, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 7A, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F703 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 78, 20, 00] {TEST AL, 0x78; AND [EAX], AL} .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F831 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 79, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 7A, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 7B, 20, 00] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003F01F8 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003F03FC .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2916] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 24, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 27, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 24, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 25, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 26, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 25, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 26, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 24, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 25, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 26, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 27, 5F, 03] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 039D01F8 .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 039D03FC .text C:\Program Files\Opera\28.0.1750.51\opera.exe[2920] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[3448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[3448] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[3496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[3496] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3884] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3884] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\WinRAR\WinRAR.exe[4044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\WinRAR\WinRAR.exe[4044] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1064] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1064] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.sys ---- EOF - GMER 2.1 ----