GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-07-23 17:13:03 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6L160M0 rev.BACE1G10 152,67GB Running: m57g1hli.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\kgddyaog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xEE44BA9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xEE44C57A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xEE49085D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xEE4585C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xEE458610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xEE4587AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xEE490211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xEE458532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xEE458654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xEE45857A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xEE44CAB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xEE458764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xEE44D368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xEE44BB02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xEE490F23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xEE4911D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xEE450B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xEE490D8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xEE490BF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xEE44B6EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xEE7717A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xEE44BB68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xEE450F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xEE44DE50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xEE4585EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xEE458632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xEE4587CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xEE49056D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xEE458558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xEE450436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xEE4586E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xEE4585A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xEE45081E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xEE458788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xEE771546] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xEE490A74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xEE44DCC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xEE4908C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xEE44D81A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xEE77F4F6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xEE48F857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xEE44BBCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xEE44BC34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xEE44D1E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xEE44B788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xEE44B95A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xEE49102A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xEE44B8E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xEE44D532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xEE44D694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xEE44B9E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xEE44D020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xEE44D1C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xEE44BC9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xEE44C5D6] INT 0x62 ? 867DABF8 INT 0x74 ? 86561BF8 INT 0x74 ? 86561BF8 INT 0x74 ? 86561BF8 INT 0x74 ? 86561BF8 INT 0x74 ? 86561BF8 INT 0x74 ? 86561BF8 INT 0x82 ? 867DABF8 INT 0x94 ? 867DABF8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2678 8050137C 12 Bytes [CE, BB, 44, EE, 34, BC, 44, ...] {INTO ; MOV EBX, 0xbc34ee44; INC ESP; OUT DX, AL; LOOP 0xffffffdb; INC ESP; OUT DX, AL} .text ntkrnlpa.exe!ZwCallbackReturn + 2710 80501414 4 Bytes [E8, B8, 44, EE] .text ntkrnlpa.exe!ZwCallbackReturn + 2720 80501424 12 Bytes [32, D5, 44, EE, 94, D6, 44, ...] {XOR DL, CH; INC ESP; OUT DX, AL; XCHG ESP, EAX; SALC ; INC ESP; OUT DX, AL; LOOP 0xffffffc3; INC ESP; OUT DX, AL} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059A312 4 Bytes CALL EE44E4FD \SystemRoot\system32\drivers\aswSnx.sys ? sphg.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6E07000, 0x1C5D38, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\alg.exe[140] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[140] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[360] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[360] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[444] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\acs.exe[480] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\acs.exe[480] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[536] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[536] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\BonanzaDealsLive\Update\BonanzaDealsLive.exe[696] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\BonanzaDealsLive\Update\BonanzaDealsLive.exe[696] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[824] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[824] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\WJATH\AthServer.exe[868] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\WJATH\AthServer.exe[868] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B27B60 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\WJATH\AthServer.exe[868] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[932] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[932] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1148] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1148] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1192] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1192] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1212] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Documents and Settings\User\Pulpit\m57g1hli.exe[1312] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Documents and Settings\User\Pulpit\m57g1hli.exe[1312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10007B60 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll .text C:\Documents and Settings\User\Pulpit\m57g1hli.exe[1312] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 54, 20, 03] {SUB [EAX+0x3], DL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 57, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 54, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 55, 20, 03] {TEST AL, 0x55; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 56, 20, 03] {TEST AL, 0x56; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 55, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 56, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 54, 20, 03] {TEST AL, 0x54; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 55, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 56, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 57, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 035D01F8 .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 035D03FC .text C:\Program Files\Opera\23.0.1522.60\opera.exe[1332] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1380] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1380] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1684] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1684] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe[1896] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe[1896] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1940] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1940] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1940] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2120] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2120] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2120] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 08, 20, 03] {SUB [EAX], CL; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 0B, 20, 03] {SUB [EBX], CL; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 08, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 09, 20, 03] {TEST AL, 0x9; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 0A, 20, 03] {TEST AL, 0xa; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 09, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 0A, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 08, 20, 03] {TEST AL, 0x8; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 09, 20, 03] {SUB [ECX], CL; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 0A, 20, 03] {SUB [EDX], CL; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 0B, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 035D01F8 .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 035D03FC .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2156] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera_crashreporter.exe[2436] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera_crashreporter.exe[2436] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2576] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2576] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10007B60 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2576] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2708] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003B01F8 .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2708] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 003B03FC .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2708] KERNEL32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 032B7B60 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll .text C:\Program Files\Opera\23.0.1522.60\opera.exe[2708] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2808] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2808] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3572] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003B01F8 .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3572] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 003B03FC .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3572] KERNEL32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 032B7B60 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3572] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[3724] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[3724] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[3892] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[3892] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, AC, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, AF, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, AC, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, AD, 20, 03] {TEST AL, 0xad; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, AE, 20, 03] {TEST AL, 0xae; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, AD, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, AE, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, AC, 20, 03] {TEST AL, 0xac; AND [EBX], AL} .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, AD, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, AE, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, AF, 20, 03] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 035D01F8 .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 035D03FC .text C:\Program Files\Opera\23.0.1522.60\opera.exe[3996] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1192] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[1192] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 867D91F8 Device \Driver\sptd \Device\2723435014 sphg.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{19F1AFA9-EEBD-43FB-8F5A-18654D8437FB} 863D5500 Device \Driver\usbuhci \Device\USBPDO-0 864881F8 Device \Driver\usbuhci \Device\USBPDO-1 864881F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8676E1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8676E1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8676E1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8676E1F8 Device \Driver\usbuhci \Device\USBPDO-2 864881F8 Device \Driver\usbuhci \Device\USBPDO-3 864881F8 Device \Driver\usbehci \Device\USBPDO-4 865491F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys Device \Driver\prodrv06 \Device\ProDrv06 E1A68008 Device \Driver\Ftdisk \Device\HarddiskVolume1 867DB1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 867DB1F8 Device \Driver\Cdrom \Device\CdRom0 8648C1F8 Device \Driver\atapi \Device\Ide\IdePort0 867DA1F8 Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 867DA1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys Device \Driver\atapi \Device\Ide\IdePort1 867DA1F8 Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys Device \Driver\atapi \Device\Ide\IdePort2 867DA1F8 Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys Device \Driver\atapi \Device\Ide\IdePort3 867DA1F8 Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 867DA1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys Device \Driver\Cdrom \Device\CdRom1 8648C1F8 Device \Driver\prohlp02 \Device\ProHlp02 E101ED70 Device \Driver\NetBT \Device\NetBt_Wins_Export 863D5500 Device \Driver\NetBT \Device\NetbiosSmb 863D5500 Device \Driver\PCI_PNP3764 \Device\0000004c sphg.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \Driver\usbuhci \Device\USBFDO-0 864881F8 Device \Driver\usbuhci \Device\USBFDO-1 864881F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8633B500 Device \Driver\usbuhci \Device\USBFDO-2 864881F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8633B500 Device \Driver\usbuhci \Device\USBFDO-3 864881F8 Device \Driver\usbehci \Device\USBFDO-4 865491F8 Device \Driver\Ftdisk \Device\FtControl 867DB1F8 Device \Driver\ahjve2ko \Device\Scsi\ahjve2ko1Port4Path0Target0Lun0 862DF1F8 Device \Driver\ahjve2ko \Device\Scsi\ahjve2ko1 862DF1F8 Device \FileSystem\Cdfs \Cdfs 86300408 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys prosync1.sys hal.dll >>UNKNOWN [0x867da1f8]<< 867da1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8663eab8] 8663eab8 Trace 3 CLASSPNP.SYS[f765105b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x866e7b00] 866e7b00 Trace \Driver\atapi[0x866e88a8] -> IRP_MJ_CREATE -> 0x867da1f8 867da1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0x21 0xA6 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4E 0xF6 0xF9 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x98 0x21 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x09 0x93 0xD4 0x1E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0x21 0xA6 0x6F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4E 0xF6 0xF9 0xCF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x98 0x21 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x09 0x93 0xD4 0x1E ... ---- EOF - GMER 2.1 ----