GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-11 17:54:18 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ES2O 298,09GB Running: ux3hp8lk.exe; Driver: C:\DOCUME~1\Paulina\USTAWI~1\Temp\awtdqaod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0x9A05BC40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x9A05BF80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0x9A05C240] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0x9A05BD60] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x9A05C040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0x9A05BAE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0x9A05BBA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0x9A05BD00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0x9A05BDC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0x9A05BCC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0x9A05BC80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0x9A05BE00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x9A05C000] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0x9A05BB40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0x9A05BBC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x9A05BFC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0x9A05BB00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0x9A05BC00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0x9A05BD80] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [40, BB, 05, 9A, C0, BB, 05, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[356] kernel32.dll!SetUnhandledExceptionFilter 7C8449B5 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, C0, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, C3, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, C0, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, C1, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, C2, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, C1, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, C2, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, C0, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, C1, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, C2, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, C3, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[1348] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 0C, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 0F, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 0C, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 0D, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 0E, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 0D, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 0E, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 0C, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 0D, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 0E, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 0F, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2176] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 3C, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 3F, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 3C, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 3D, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 3E, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 3D, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 3E, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 3C, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 3D, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 3E, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 3F, 07, 03] .text C:\Program Files\Opera\20.0.1387.64\opera.exe[2416] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys ---- Threads - GMER 2.1 ---- Thread System [4:1556] 832EDF50 ---- EOF - GMER 2.1 ----