GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-06 05:16:55 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD3200AAJS-22RYA0 rev.12.01B01 298,09GB Running: gmer.exe; Driver: C:\Users\Admin\AppData\Local\Temp\aglorpod.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA2A62300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA2AA5300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtCreateFile + 6 77C24342 4 Bytes [28, A0, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtCreateFile + B 77C24347 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtMapViewOfSection + 6 77C24A92 4 Bytes [28, A3, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtMapViewOfSection + B 77C24A97 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenFile + 6 77C24B22 4 Bytes [68, A0, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenFile + B 77C24B27 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenProcess + 6 77C24BA2 4 Bytes [A8, A1, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenProcess + B 77C24BA7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenProcessToken + 6 77C24BB2 4 Bytes CALL 76C29058 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenProcessToken + B 77C24BB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenProcessTokenEx + 6 77C24BC2 4 Bytes [A8, A2, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenProcessTokenEx + B 77C24BC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenThread + 6 77C24C12 4 Bytes [68, A1, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenThread + B 77C24C17 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenThreadToken + 6 77C24C22 4 Bytes [68, A2, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenThreadToken + B 77C24C27 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenThreadTokenEx + 6 77C24C32 4 Bytes CALL 76C290D9 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtOpenThreadTokenEx + B 77C24C37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtQueryAttributesFile + 6 77C24CC2 4 Bytes [A8, A0, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtQueryAttributesFile + B 77C24CC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtQueryFullAttributesFile + 6 77C24D72 4 Bytes CALL 76C29217 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtQueryFullAttributesFile + B 77C24D77 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtSetInformationFile + 6 77C25252 4 Bytes [28, A1, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtSetInformationFile + B 77C25257 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtSetInformationThread + 6 77C252A2 4 Bytes [28, A2, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtSetInformationThread + B 77C252A7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtUnmapViewOfSection + 6 77C25542 4 Bytes [68, A3, 44, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[284] ntdll.dll!NtUnmapViewOfSection + B 77C25547 1 Byte [E2] .text C:\Program Files\IObit\Advanced SystemCare\Monitor.exe[852] kernel32.dll!CreateThread + 1A 77D8CD10 4 Bytes CALL 5983DB6D C:\Program Files\IObit\Advanced SystemCare\madExcept_.bpl .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtCreateFile + 6 77C24342 4 Bytes [28, CC, 63, 00] {SUB AH, CL; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtCreateFile + B 77C24347 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtMapViewOfSection + 6 77C24A92 4 Bytes [28, CF, 63, 00] {SUB BH, CL; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtMapViewOfSection + B 77C24A97 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenFile + 6 77C24B22 4 Bytes [68, CC, 63, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenFile + B 77C24B27 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenProcess + 6 77C24BA2 4 Bytes [A8, CD, 63, 00] {TEST AL, 0xcd; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenProcess + B 77C24BA7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenProcessToken + 6 77C24BB2 4 Bytes CALL 76C2AF84 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenProcessToken + B 77C24BB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenProcessTokenEx + 6 77C24BC2 4 Bytes [A8, CE, 63, 00] {TEST AL, 0xce; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenProcessTokenEx + B 77C24BC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenThread + 6 77C24C12 4 Bytes [68, CD, 63, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenThread + B 77C24C17 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenThreadToken + 6 77C24C22 4 Bytes [68, CE, 63, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenThreadToken + B 77C24C27 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenThreadTokenEx + 6 77C24C32 4 Bytes CALL 76C2B005 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtOpenThreadTokenEx + B 77C24C37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtQueryAttributesFile + 6 77C24CC2 4 Bytes [A8, CC, 63, 00] {TEST AL, 0xcc; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtQueryAttributesFile + B 77C24CC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtQueryFullAttributesFile + 6 77C24D72 4 Bytes CALL 76C2B143 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtQueryFullAttributesFile + B 77C24D77 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtSetInformationFile + 6 77C25252 4 Bytes [28, CD, 63, 00] {SUB CH, CL; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtSetInformationFile + B 77C25257 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtSetInformationThread + 6 77C252A2 4 Bytes [28, CE, 63, 00] {SUB DH, CL; ARPL [EAX], AX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtSetInformationThread + B 77C252A7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtUnmapViewOfSection + 6 77C25542 4 Bytes [68, CF, 63, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1132] ntdll.dll!NtUnmapViewOfSection + B 77C25547 1 Byte [E2] .text C:\Program Files\IObit\Advanced SystemCare\ASCTray.exe[2908] kernel32.dll!CreateThread + 1A 77D8CD10 4 Bytes CALL 0044CEB1 C:\Program Files\IObit\Advanced SystemCare\ASCTray.exe .text C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe[3556] kernel32.dll!CreateThread + 1A 77D8CD10 4 Bytes CALL 0043B639 C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[3968] ntdll.dll!NtMapViewOfSection + 6 77C24A92 4 Bytes [18, F0, E8, 6C] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3968] ntdll.dll!NtMapViewOfSection + B 77C24A97 1 Byte [E2] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74CE76CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74D25B61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74CEB9D2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74CDF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74CE74A1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74CDE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74D38EE5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74CED910] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74CDFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74CDFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74CD71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74D6CE0E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74D0C5BC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74CDD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74CD6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74CD687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll IAT C:\Windows\Explorer.EXE[1488] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74CE2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19626_none_9e529e70ca15f963\gdiplus.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys Device \Driver\USBSTOR \Device\00000065 sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-3 sfsync02.sys Device \Driver\USBSTOR \Device\00000069 sfsync02.sys Device \Driver\USBSTOR \Device\0000006a sfsync02.sys Device \Driver\USBSTOR \Device\0000006b sfsync02.sys Device \Driver\USBSTOR \Device\0000006c sfsync02.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\ 1 ---- Files - GMER 2.2 ---- File C:\Users\Admin\AppData\Local\Opera Software\Opera Stable\Cache\f_0076ce 20025 bytes File C:\Users\Admin\AppData\Local\Opera Software\Opera Stable\Cache\f_0076cf 53012 bytes ---- EOF - GMER 2.2 ----