GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-09 21:42:20 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500YD-01NVB1 rev.10.02E01 233,76GB Running: gmer.exe; Driver: C:\DOCUME~1\Dorota\USTAWI~1\Temp\pwliqpow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAdjustPrivilegesToken [0xA6C62090] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwConnectPort [0xA6C62040] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateProcess [0xA6C62020] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateProcessEx [0xA6C62030] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSection [0xA6C62000] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSymbolicLinkObject [0xA6C62190] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThread [0xA6C620F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDebugActiveProcess [0xA6C62130] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeleteKey [0xA6C62280] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeleteValueKey [0xA6C622A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeviceIoControlFile [0xA6C622F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDuplicateObject [0xA6C62160] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwEnumerateKey [0xA6C622B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwEnumerateValueKey [0xA6C622C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadDriver [0xA6C62140] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadKey [0xA6C62240] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadKey2 [0xA6C62250] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwMapViewOfSection [0xA6C62170] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenProcess [0xA6C62070] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenSection [0xA6C62060] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenThread [0xA6C62080] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwPlugPlayControl [0xA6C621A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwProtectVirtualMemory [0xA6C620B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryIntervalProfile [0xA6C62560] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryKey [0xA6C622D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryMultipleValueKey [0xA6C62290] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryValueKey [0xA6C62270] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueueApcThread [0xA6C62110] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRenameKey [0xA6C622E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwReplaceKey [0xA6C62230] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRequestWaitReplyPort [0xA6C621E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRestoreKey [0xA6C62220] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeProcess [0xA6C62580] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeThread [0xA6C621B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveKey [0xA6C621F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveKeyEx [0xA6C62200] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveMergedKeys [0xA6C62210] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSecureConnectPort [0xA6C62050] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetContextThread [0xA6C62100] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationObject [0xA6C620A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationToken [0xA6C62010] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetSystemInformation [0xA6C62150] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetValueKey [0xA6C62260] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendProcess [0xA6C621D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendThread [0xA6C621C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSystemDebugControl [0xA6C62120] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateProcess [0xA6C620C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateThread [0xA6C620D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwUnmapViewOfSection [0xA6C62180] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwWriteVirtualMemory [0xA6C620E0] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2E0C 805046F4 12 Bytes [40, 21, C6, A6, 40, 22, C6, ...] {INC EAX; AND ESI, EAX; CMPSB ; INC EAX; AND AL, DH; CMPSB ; PUSH EAX; AND AL, DH; CMPSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 805048A0 28 Bytes [20, 22, C6, A6, 80, 25, C6, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [D0, 21, C6, A6, C0, 21, C6, ...] ---- User code sections - GMER 2.2 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[816] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 6A352DF0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[816] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[816] C:\WINDOWS\system32\ADVAPI32.dll time/date stamp mismatch; unknown module: WINTRUST.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[816] USER32.dll!AlignRects 7E362978 4 Bytes [60, 40, 35, 6A] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[816] USER32.dll!AlignRects 7E362A78 4 Bytes [10, 40, 35, 6A] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 78, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 7B, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 78, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 79, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91CB92 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 7A, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 79, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 7A, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91CC03 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 78, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91CD31 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 79, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 7A, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 7B, F5, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[996] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!SetScrollInfo 7E369056 5 Bytes JMP 00507DB3 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 00507CFD C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00507D36 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00507CD2 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00507C69 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00507C94 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00507D76 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1200] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 00507DED C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, EC, 7A, 00] {SUB AH, CH; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, EF, 7A, 00] {SUB BH, CH; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, EC, 7A, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, ED, 7A, 00] {TEST AL, 0xed; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B915106 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, EE, 7A, 00] {TEST AL, 0xee; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, ED, 7A, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, EE, 7A, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B915177 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, EC, 7A, 00] {TEST AL, 0xec; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9152A5 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, ED, 7A, 00] {SUB CH, CH; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, EE, 7A, 00] {SUB DH, CH; JP 0x4} .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, EF, 7A, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[1852] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, F0, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, F3, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, F0, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, F1, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91DC0A .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, F2, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, F1, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, F2, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91DC7B .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, F0, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91DDA9 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, F1, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, F2, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, F3, 05, 01] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2092] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] C:\WINDOWS\system32\user32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!AlignRects 7E362978 4 Bytes [60, 40, 35, 6A] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!AlignRects 7E362A78 4 Bytes [10, 40, 35, 6A] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!MoveWindow + A3 7E37B341 5 Bytes JMP 6A354E30 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!UnhookWinEvent + 25 7E3818D1 5 Bytes JMP 6A354DB0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!SetMenu + 1B 7E39F411 2 Bytes JMP 6A354930 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!SetMenu + 1E 7E39F414 2 Bytes [FB, EB] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!GetRawInputDeviceInfoW + 10 7E3A6568 5 Bytes JMP 6A3549C0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!GetRawInputDeviceInfoW + 68 7E3A65C0 5 Bytes JMP 6A354C00 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avpui.exe[2472] user32.dll!GetRawInputDeviceInfoA + C1 7E3BAFCE 5 Bytes JMP 6A354B70 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\ushata.dll .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, C0, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, C3, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, C0, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, C1, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ECDA .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, C2, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, C1, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, C2, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED4B .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, C0, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EE79 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, C1, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, C2, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, C3, 16, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[2676] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 78, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 7B, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 78, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 79, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91C592 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 7A, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 79, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 7A, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91C603 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 78, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91C731 .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 79, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 7A, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 7B, EF, 00] .text C:\Program Files\Opera\36.0.2130.65\opera.exe[3340] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2893A52B-8B45-71B7-46CE-51C560D10AB7} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2893A52B-8B45-71B7-46CE-51C560D10AB7}@iabcejdadbnkcelgpo 0x6B 0x61 0x6B 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2893A52B-8B45-71B7-46CE-51C560D10AB7}@hahckjgnhnedcpco 0x6B 0x61 0x6B 0x65 ... ---- EOF - GMER 2.2 ----