GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-14 02:17:44 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.11.0 149,05GB Running: 1fdqjtkk.exe; Driver: C:\Users\Mako\AppData\Local\Temp\kxldypog.sys ---- System - GMER 2.1 ---- SSDT 875A66A8 ZwAlertResumeThread SSDT 875A6768 ZwAlertThread SSDT 875A6F38 ZwAllocateVirtualMemory SSDT 86F1D590 ZwAlpcConnectPort SSDT 8702D6B8 ZwAssignProcessToJobObject SSDT 8702D008 ZwCreateMutant SSDT 8702D438 ZwCreateSymbolicLinkObject SSDT 8696D560 ZwCreateThread SSDT 8702D778 ZwDebugActiveProcess SSDT 876483E0 ZwDuplicateObject SSDT 875A6D98 ZwFreeVirtualMemory SSDT 875A6528 ZwImpersonateAnonymousToken SSDT 875A65E8 ZwImpersonateThread SSDT 8702D8F8 ZwLoadDriver SSDT 875A6CB8 ZwMapViewOfSection SSDT 8702DB38 ZwOpenEvent SSDT 8715D2B0 ZwOpenProcess SSDT 87648320 ZwOpenProcessToken SSDT 8702D9B8 ZwOpenSection SSDT 876484B0 ZwOpenThread SSDT 8702D5E8 ZwProtectVirtualMemory SSDT 8702D368 ZwQueueApcThread SSDT 8702D298 ZwReadVirtualMemory SSDT 875A6828 ZwResumeThread SSDT 875A6A68 ZwSetContextThread SSDT 875A6B28 ZwSetInformationProcess SSDT 8702D838 ZwSetSystemInformation SSDT 8702DA78 ZwSuspendProcess SSDT 875A68E8 ZwSuspendThread SSDT 8745EC90 ZwTerminateProcess SSDT 875A69A8 ZwTerminateThread SSDT 875A6BF8 ZwUnmapViewOfSection SSDT 875A6E68 ZwWriteVirtualMemory SSDT 8702D508 ZwCreateThreadEx Code \??\C:\Windows\system32\drivers\mbamchameleon.sys (Malwarebytes Chameleon Protection Driver/Malwarebytes Corporation) KeInsertQueueApc ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeInsertQueueApc 820614B3 5 Bytes JMP 8CFD0BEE \??\C:\Windows\system32\drivers\mbamchameleon.sys (Malwarebytes Chameleon Protection Driver/Malwarebytes Corporation) .text ntkrnlpa.exe!KeSetTimerEx + 350 820D79A4 8 Bytes [A8, 66, 5A, 87, 68, 67, 5A, ...] .text ntkrnlpa.exe!KeSetTimerEx + 364 820D79B8 4 Bytes [38, 6F, 5A, 87] .text ntkrnlpa.exe!KeSetTimerEx + 370 820D79C4 4 Bytes [90, D5, F1, 86] .text ntkrnlpa.exe!KeSetTimerEx + 3C4 820D7A18 4 Bytes [B8, D6, 02, 87] .text ntkrnlpa.exe!KeSetTimerEx + 428 820D7A7C 4 Bytes [08, D0, 02, 87] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtCreateFile + 6 779D800E 4 Bytes [28, D8, 1B, 00] {SUB AL, BL; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtCreateFile + B 779D8013 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtMapViewOfSection + 6 779D875E 4 Bytes [28, DB, 1B, 00] {SUB BL, BL; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtMapViewOfSection + B 779D8763 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenFile + 6 779D87EE 4 Bytes [68, D8, 1B, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenFile + B 779D87F3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenProcess + 6 779D886E 4 Bytes [A8, D9, 1B, 00] {TEST AL, 0xd9; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenProcess + B 779D8873 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenProcessToken + B 779D8883 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenProcessTokenEx + 6 779D888E 4 Bytes [A8, DA, 1B, 00] {TEST AL, 0xda; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenProcessTokenEx + B 779D8893 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenThread + 6 779D88DE 4 Bytes [68, D9, 1B, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenThread + B 779D88E3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenThreadToken + 6 779D88EE 4 Bytes [68, DA, 1B, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenThreadToken + B 779D88F3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtOpenThreadTokenEx + B 779D8903 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtQueryAttributesFile + 6 779D898E 4 Bytes [A8, D8, 1B, 00] {TEST AL, 0xd8; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtQueryAttributesFile + B 779D8993 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtQueryFullAttributesFile + B 779D8A43 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtSetInformationFile + 6 779D8F1E 4 Bytes [28, D9, 1B, 00] {SUB CL, BL; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtSetInformationFile + B 779D8F23 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtSetInformationThread + 6 779D8F6E 4 Bytes [28, DA, 1B, 00] {SUB DL, BL; SBB EAX, [EAX]} .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtSetInformationThread + B 779D8F73 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtUnmapViewOfSection + 6 779D920E 4 Bytes [68, DB, 1B, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] ntdll.dll!NtUnmapViewOfSection + B 779D9213 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtCreateFile + 6 779D800E 4 Bytes [28, C4, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtCreateFile + B 779D8013 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtMapViewOfSection + 6 779D875E 4 Bytes [28, C7, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtMapViewOfSection + B 779D8763 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenFile + 6 779D87EE 4 Bytes [68, C4, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenFile + B 779D87F3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenProcess + 6 779D886E 4 Bytes [A8, C5, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenProcess + B 779D8873 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenProcessToken + B 779D8883 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenProcessTokenEx + 6 779D888E 4 Bytes [A8, C6, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenProcessTokenEx + B 779D8893 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenThread + 6 779D88DE 4 Bytes [68, C5, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenThread + B 779D88E3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenThreadToken + 6 779D88EE 4 Bytes [68, C6, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenThreadToken + B 779D88F3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtOpenThreadTokenEx + B 779D8903 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtQueryAttributesFile + 6 779D898E 4 Bytes [A8, C4, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtQueryAttributesFile + B 779D8993 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtQueryFullAttributesFile + B 779D8A43 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtSetInformationFile + 6 779D8F1E 4 Bytes [28, C5, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtSetInformationFile + B 779D8F23 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtSetInformationThread + 6 779D8F6E 4 Bytes [28, C6, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtSetInformationThread + B 779D8F73 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtUnmapViewOfSection + 6 779D920E 4 Bytes [68, C7, 5F, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] ntdll.dll!NtUnmapViewOfSection + B 779D9213 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtCreateFile + 6 779D800E 4 Bytes [28, 10, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtCreateFile + B 779D8013 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtMapViewOfSection + 6 779D875E 4 Bytes [28, 13, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtMapViewOfSection + B 779D8763 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenFile + 6 779D87EE 4 Bytes [68, 10, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenFile + B 779D87F3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenProcess + 6 779D886E 4 Bytes [A8, 11, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenProcess + B 779D8873 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenProcessToken + B 779D8883 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenProcessTokenEx + 6 779D888E 4 Bytes [A8, 12, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenProcessTokenEx + B 779D8893 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenThread + 6 779D88DE 4 Bytes [68, 11, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenThread + B 779D88E3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenThreadToken + 6 779D88EE 4 Bytes [68, 12, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenThreadToken + B 779D88F3 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtOpenThreadTokenEx + B 779D8903 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtQueryAttributesFile + 6 779D898E 4 Bytes [A8, 10, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtQueryAttributesFile + B 779D8993 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtQueryFullAttributesFile + B 779D8A43 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtSetInformationFile + 6 779D8F1E 4 Bytes [28, 11, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtSetInformationFile + B 779D8F23 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtSetInformationThread + 6 779D8F6E 4 Bytes [28, 12, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtSetInformationThread + B 779D8F73 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtUnmapViewOfSection + 6 779D920E 4 Bytes [68, 13, 42, 00] .text C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] ntdll.dll!NtUnmapViewOfSection + B 779D9213 1 Byte [E2] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Opera\30.0.1835.59\opera.exe[2116] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00210010 IAT C:\Program Files\Opera\30.0.1835.59\opera.exe[3364] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00610010 IAT C:\Program Files\Opera\30.0.1835.59\opera.exe[3740] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00440010 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 841FCC10 ---- EOF - GMER 2.1 ----