GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-14 12:45:40 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0 ST350041 rev.CC37 465,76GB Running: oj4jlx5q.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\kgqcqaod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAA0D0AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xABA0483C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAA0D15B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAA1176A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAA0DD6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAA0DD704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAA0DD89E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAA117054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAA0DD626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAA0DD748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAA0DD66E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAA0D1AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAA0DD858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAA0D23A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAA0D0B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAA117D66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAA11801C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAA0D5BF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAA117BD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAA117A3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xABA04914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAA0D0728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xABA04CF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAA0D0BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAA0D5FE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAA0D2EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAA0DD6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAA0DD726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAA0DD8C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAA1173B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAA0DD64C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAA0D54EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAA0DD7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAA0DD696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAA0D58D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAA0DD87C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xABA04A94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAA1178B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAA0D2CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAA117709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAA0D2854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xABA12B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xABA134EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAA116697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAA0D0C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAA0D0C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAA0D221C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAA0D07C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAA0D0994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAA117E6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAA0D0922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAA0D256C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAA0D26CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAA0D0A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAA0D205A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAA0D21FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xABA01AD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAA0D0CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAA0D1610] INT 0x73 ? 8AC86CB8 INT 0x83 ? 8AC86CB8 INT 0xB4 ? 8ABD4CB8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CA4 80504540 8 Bytes [EA, 1A, 0D, AA, 58, D8, 0D, ...] {JMP FAR 0xdd8:0x58aa0d1a; STOSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2D8C 80504628 8 Bytes [E8, 5F, 0D, AA, E6, 2E, 0D, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2DB8 80504654 4 Bytes [EA, 54, 0D, AA] .text ntkrnlpa.exe!ZwCallbackReturn + 2F1D 805047B9 11 Bytes [0C, 0D, AA, 6E, 0C, 0D, AA, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC4 80504860 12 Bytes [6C, 25, 0D, AA, CE, 26, 0D, ...] {INS BYTE [ES:EDI], DX; AND EAX, 0x26ceaa0d; OR EAX, 0xd0a1caa; STOSB } PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A646E 4 Bytes CALL AA0D35B7 \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF7361FEE] .xreloc C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF7272000, 0xC5E, 0x40000040] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5D7E000, 0x1E2E7A, 0xE8000020] ? C:\WINDOWS\System32\Drivers\aqhmmv7s.SYS suspicious PE modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1404] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 74, 26, 00] {SUB [ESI+0x0], DH} .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 77, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 74, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 75, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90FC8E .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 76, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 75, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 76, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90FCFF .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 74, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90FE2D .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 75, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 76, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 77, 26, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006201F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3072] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 006203FC .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3552] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5084] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5084] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 003D03FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5084] KERNEL32.dll!WriteFile 7C810E27 5 Bytes JMP 0E804270 C:\DOCUME~1\user\USTAWI~1\Temp\{90C8B897-86D2-4FDE-ABAA-574FC136E1C0}.dll .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 24, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 27, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 24, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 25, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91343E .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 26, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 25, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 26, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B9134AF .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 24, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9135DD .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 25, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 26, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 27, 5E, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008C01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5096] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008C03FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5136] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5136] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 003D03FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 24, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 27, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 24, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 25, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91AD3E .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 26, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 25, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 26, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91ADAF .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 24, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91AEDD .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 25, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 26, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 27, D7, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 010501F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5140] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 010503FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, B0, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, B3, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, B0, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, B1, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9159CA .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, B2, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, B1, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, B2, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B915A3B .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, B0, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B915B69 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, B1, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, B2, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, B3, 83, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B101F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B103FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, EC, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, EF, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, EC, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, ED, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B913006 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, EE, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, ED, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, EE, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B913077 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, EC, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9131A5 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, ED, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, EE, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, EF, 59, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008701F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5544] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008703FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 04, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 07, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 04, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 05, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91AC1E .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 06, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 05, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 06, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91AC8F .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 04, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91ADBD .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 05, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 06, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 07, D6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 010401F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5816] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 010403FC ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8ACC81F8 Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{56A33ABA-E170-40AE-8CAA-289810A630A0} 8A15A1F8 Device \Driver\usbohci \Device\USBPDO-0 8ABD31F8 Device \Driver\usbehci \Device\USBPDO-1 8AB321F8 Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\PCI_PNP7858 \Device\00000049 sptd.sys Device \Driver\PCI_PNP7858 \Device\00000049 sptd.sys Device \Driver\atapi \Device\Ide\IdePort0 [F7232B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7232B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 8AA821F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A15A1F8 Device \Driver\NetBT \Device\NetbiosSmb 8A15A1F8 Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\usbohci \Device\USBFDO-0 8ABD31F8 Device \Driver\usbehci \Device\USBFDO-1 8AB321F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8942E1F8 Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys Device \FileSystem\MRxSmb \Device\LanmanRedirector 8942E1F8 Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path1Target1Lun0 8ACC91F8 Device \Driver\aqhmmv7s \Device\Scsi\aqhmmv7s1 8AA92440 Device \Driver\nvgts \Device\Scsi\nvgts1 8ACC91F8 Device \Driver\nvgts \Device\Scsi\nvgts2 8ACC91F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac965b8]<< 8ac965b8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac28660] 8ac28660 Trace 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ac219e8] 8ac219e8 Trace 5 ACPI.sys[f728a620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8ac28030] 8ac28030 Trace \Driver\nvgts[0x8ac2ff38] -> IRP_MJ_CREATE -> 0x8acc91f8 8acc91f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6F 0x0B 0xF8 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4E 0xED 0x44 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x73 0x69 0xD4 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x64 0x29 0x21 0x5C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6F 0x0B 0xF8 0xDB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x2E 0xE0 0x7C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x73 0x69 0xD4 0x32 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x64 0x29 0x21 0x5C ... ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings\user 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings\user\Ustawienia lokalne 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings\user\Ustawienia lokalne\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\chrome_shutdown_ms.txt 4 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Network Action Predictor 5120 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_0 8192 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_1 270336 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_2 8192 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_3 8192 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cookies 6144 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cookies-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Current Session 3653 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\000003.log 569 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Favicons 20480 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Favicons-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\History 94208 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\History Provider Cache 6 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\History-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Extension Settings 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Storage 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Login Data 12288 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Login Data-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Network Action Predictor-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Preferences 2130 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Secure Preferences 18853 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Shortcuts 12288 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Shortcuts-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Top Sites-journal 12824 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Visited Links 131072 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Web Data 71680 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Web Data-journal 4624 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Local State 5708 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\pnacl 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\snx_fs.dat 6858 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG 1024 bytes File C:\WINDOWS\Temp\_avast_\ws1CA039F8.dat (size mismatch) 812504/0 bytes executable ---- EOF - GMER 2.1 ----