GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-26 05:02:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0 ST350041 rev.CC37 465,76GB Running: y1c9nl40.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\kgqcqaob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xABC28AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xAD35483C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xABC295B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xABC6F6A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xABC356B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xABC35704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xABC3589E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xABC6F054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xABC35626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xABC35748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xABC3566E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xABC29AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xABC35858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xABC2A3A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xABC28B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xABC6FD66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xABC7001C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xABC2DBF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xABC6FBD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xABC6FA3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xAD354914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xABC28728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xAD354CF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xABC28BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xABC2DFE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xABC2AEE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xABC356E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xABC35726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xABC358C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xABC6F3B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xABC3564C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xABC2D4EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xABC357D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xABC35696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xABC2D8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xABC3587C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xAD354A94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xABC6F8B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xABC2ACFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xABC6F709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xABC2A854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xAD362B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xAD3634EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xABC6E697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xABC28C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xABC28C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xABC2A21C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xABC287C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xABC28994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xABC6FE6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xABC28922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xABC2A56C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xABC2A6CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xABC28A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xABC2A05A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xABC2A1FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xAD351AD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xABC28CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xABC29610] INT 0x73 ? 8ACC1CB8 INT 0x83 ? 8ACC1CB8 INT 0xB4 ? 8AB0BCB8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CA4 80504540 8 Bytes [EA, 9A, C2, AB, 58, 58, C3, ...] {JMP FAR 0xc358:0x58abc29a; STOSD } .text ntkrnlpa.exe!ZwCallbackReturn + 2D8C 80504628 8 Bytes [E8, DF, C2, AB, E6, AE, C2, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2DB8 80504654 4 Bytes [EA, D4, C2, AB] .text ntkrnlpa.exe!ZwCallbackReturn + 2F1D 805047B9 11 Bytes [8C, C2, AB, 6E, 8C, C2, AB, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC4 80504860 12 Bytes [6C, A5, C2, AB, CE, A6, C2, ...] {INS BYTE [ES:EDI], DX; MOVSD ; RET 0xceab; CMPSB ; RET 0x1cab; MOV AL, DL; STOSD } PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A646E 4 Bytes CALL ABC2B5B7 \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF7361FEE] .xreloc C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF7272000, 0xC5E, 0x40000040] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF60A9000, 0x1E2E7A, 0xE8000020] ? C:\WINDOWS\System32\Drivers\aknkz47l.SYS suspicious PE modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1404] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 1C, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 1F, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 1C, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 1D, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED36 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 1E, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 1D, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 1E, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EDA7 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 1C, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EED5 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 1D, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 1E, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 1F, 17, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 005301F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1476] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 005303FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 70, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 73, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 70, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 71, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91378A .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 72, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 71, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 72, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B9137FB .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 70, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B913929 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 71, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 72, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 73, 61, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008F01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1628] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008F03FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1808] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1808] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 003C03FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, B4, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, B7, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, B4, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, B5, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9125CE .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, B6, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, B5, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, B6, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91263F .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, B4, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91276D .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, B5, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, B6, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, B7, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007D01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[1956] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007D03FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 34, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 37, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 34, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 35, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B919C4E .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 36, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 35, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 36, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B919CBF .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 34, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B919DED .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 35, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 36, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 37, C6, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F401F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3188] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F403FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 7C, 4F, 00] {SUB [EDI+ECX*2+0x0], BH} .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 7F, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 7C, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 7D, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912596 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 7E, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 7D, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 7E, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912607 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 7C, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912735 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 7D, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 7E, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 7F, 4F, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007D01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[3420] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007D03FC .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3568] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 48, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 4B, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 48, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 49, 78, 00] {TEST AL, 0x49; JS 0x4} .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B914E62 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 4A, 78, 00] {TEST AL, 0x4a; JS 0x4} .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 49, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 4A, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B914ED3 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 48, 78, 00] {TEST AL, 0x48; JS 0x4} .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B915001 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 49, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 4A, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 4B, 78, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A601F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[4300] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A603FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B919F1A .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B919F8B .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91A0B9 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, C9, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F701F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5236] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F703FC .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, D8, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, DB, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, D8, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, D9, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9167F2 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, DA, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, D9, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, DA, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B916863 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, D8, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B916991 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, D9, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, DA, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, DB, 91, 00] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF01F8 .text C:\Program Files\Opera\30.0.1835.140_0\opera.exe[5692] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BF03FC ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8AC8D1F8 Device \FileSystem\Fastfat \FatCdrom 8A7EB1F8 Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{56A33ABA-E170-40AE-8CAA-289810A630A0} 8A23A1F8 Device \Driver\usbohci \Device\USBPDO-0 8AB231F8 Device \Driver\usbehci \Device\USBPDO-1 8AB4C1F8 Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\PCI_PNP4594 \Device\00000049 sptd.sys Device \Driver\PCI_PNP4594 \Device\00000049 sptd.sys Device \Driver\atapi \Device\Ide\IdePort0 [F7232B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7232B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 8AA5B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A23A1F8 Device \Driver\NetBT \Device\NetbiosSmb 8A23A1F8 Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\usbohci \Device\USBFDO-0 8AB231F8 Device \Driver\usbehci \Device\USBFDO-1 8AB4C1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 894F81F8 Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys Device \FileSystem\MRxSmb \Device\LanmanRedirector 894F81F8 Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path1Target1Lun0 8AC8E1F8 Device \Driver\aknkz47l \Device\Scsi\aknkz47l1 8AA8E1F8 Device \Driver\nvgts \Device\Scsi\nvgts1 8AC8E1F8 Device \Driver\nvgts \Device\Scsi\nvgts2 8AC8E1F8 Device \FileSystem\Fastfat \Fat 8A7EB1F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac93f48]<< 8ac93f48 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac0b030] 8ac0b030 Trace 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ac31920] 8ac31920 Trace 5 ACPI.sys[f728a620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8ac31a38] 8ac31a38 Trace \Driver\nvgts[0x8ac56f38] -> IRP_MJ_CREATE -> 0x8ac8e1f8 8ac8e1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6F 0x0B 0xF8 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0xE8 0x67 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x73 0x69 0xD4 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x64 0x29 0x21 0x5C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6F 0x0B 0xF8 0xDB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x09 0x28 0xF2 0x65 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x73 0x69 0xD4 0x32 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x64 0x29 0x21 0x5C ... ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings\user 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings\user\Ustawienia lokalne 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\Documents and Settings\user\Ustawienia lokalne\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\chrome_shutdown_ms.txt 4 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Network Action Predictor 5120 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_0 8192 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_1 270336 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_2 8192 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\data_3 8192 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cookies 6144 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Cookies-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Current Session 3653 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\000003.log 569 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Extension State\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Favicons 20480 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Favicons-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\History 94208 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\History Provider Cache 6 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\History-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Extension Settings 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Storage 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Login Data 12288 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Login Data-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Network Action Predictor-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Preferences 2130 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Secure Preferences 18853 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Shortcuts 12288 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Shortcuts-journal 512 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Top Sites-journal 12824 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Visited Links 131072 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Web Data 71680 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Default\Web Data-journal 4624 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\Local State 5708 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\C\sfzone_profile\pnacl 0 bytes File C:\avast! sandbox\S-1-5-21-790525478-1004336348-725345543-1004\sfzone\snx_fs.dat 6858 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG 1024 bytes ---- EOF - GMER 2.1 ----