GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-23 21:08:29 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 ST3500320AS rev.SD15 465,76GB Running: cef929dg.exe; Driver: C:\Users\Dorota\AppData\Local\Temp\fwdirpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x9345AACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x9351731C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9345B5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x9346767A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x934676C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x93467860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x934675E8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x935176F6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x93467630] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x93517986] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x9346781A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9345C398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9345AB32] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwDuplicateObject [0x93517B74] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x935173F4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwLoadDriver [0x9351478E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x935177D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x9345AB98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9345FFE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9345CEDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x934676A4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x934676E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x93467884] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x9346760E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9345F4E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x93467798] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x93467658] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9345F8CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x9346783E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x93517574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x9345CCF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x9345C84A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9345ABFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9345AC64] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x935178D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x9345A7B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9345A98A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x9345A918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9345C562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x9345C6C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9345AA12] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x93517642] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x9345C1F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x935147BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x9345ACCA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x935174A6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x93517A70] INT 0x01 \??\C:\Users\Dorota\AppData\Local\Temp\fwdirpog.sys A627F50B ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 828BB758 4 Bytes [CC, AA, 45, 93] {INT 3 ; STOSB ; INC EBP; XCHG EBX, EAX} .text ntkrnlpa.exe!KeSetEvent + 131 828BB77C 4 Bytes [1C, 73, 51, 93] {SBB AL, 0x73; PUSH ECX; XCHG EBX, EAX} .text ntkrnlpa.exe!KeSetEvent + 191 828BB7DC 4 Bytes [AA, B5, 45, 93] {STOSB ; MOV CH, 0x45; XCHG EBX, EAX} .text ntkrnlpa.exe!KeSetEvent + 1D1 828BB81C 8 Bytes [7A, 76, 46, 93, C6, 76, 46, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 828BB828 4 Bytes [60, 78, 46, 93] {PUSHA ; JS 0x49; XCHG EBX, EAX} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82A4900F 4 Bytes CALL 9345D5C3 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82A4CC83 4 Bytes CALL 9345D5D9 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F601000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1680] kernel32.dll!SetUnhandledExceptionFilter 75F6A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 00C001F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 00C003FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, 10, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, 13, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, 10, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, 11, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, 12, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, 11, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, 12, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, 10, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, 11, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, 12, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, 13, BA, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3088] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!LdrLoadDll 77529378 3 Bytes JMP 005301F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!LdrLoadDll + 4 7752937C 1 Byte [89] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 005303FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, E0, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, E3, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, E0, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, E1, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, E2, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, E1, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, E2, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, E0, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, E1, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, E2, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, E3, 49, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3256] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 006F01F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 006F03FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, 40, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, 43, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, 40, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, 41, 6A, 00] {TEST AL, 0x41; PUSH 0x0} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, 42, 6A, 00] {TEST AL, 0x42; PUSH 0x0} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, 41, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, 42, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, 40, 6A, 00] {TEST AL, 0x40; PUSH 0x0} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, 41, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, 42, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, 43, 6A, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3344] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 003C01F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 003C03FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, 3C, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, 3F, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, 3C, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, 3D, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, 3E, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, 3D, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, 3E, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, 3C, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, 3D, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, 3E, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, 3F, 36, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[3896] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Windows Defender\MSASCui.exe[4192] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4272] kernel32.dll!SetUnhandledExceptionFilter 75F6A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4272] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll .text C:\Users\Dorota\Desktop\cef929dg.exe[4420] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 .text C:\Program Files\BlueStacks\HD-Agent.exe[4452] KERNEL32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 048078E0 C:\Windows\system32\LavasoftTcpService.dll .text C:\Program Files\Steam\Steam.exe[4472] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll .text C:\Program Files\ALLPlayer Remote\ALLPlayerRemoteControl.exe[4528] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll .text ... .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 63981F42 C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\mozglue.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtCreateFile 77564264 5 Bytes JMP 57A56E2C C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtFlushBuffersFile 77564764 5 Bytes JMP 57A56CC7 C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtQueryFullAttributesFile 77564C94 5 Bytes JMP 57A56EAD C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtReadFile 77564EC4 5 Bytes JMP 57A56BA3 C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtReadFileScatter 77564ED4 5 Bytes JMP 57A56BEC C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtWriteFile 775654D4 5 Bytes JMP 57A56C35 C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] ntdll.dll!NtWriteFileGather 775654E4 5 Bytes JMP 57A56C7E C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] kernel32.dll!HeapSetInformation + 26 75F6A9B8 7 Bytes JMP 589FE562 C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] kernel32.dll!LockResource + C 75F86BD3 7 Bytes JMP 57A1EEC3 C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] kernel32.dll!VirtualAllocEx + 54 75F8B030 7 Bytes JMP 57A1EE7B C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] USER32.dll!GetWindowInfo 772E428E 5 Bytes JMP 583D662C C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Dorota\AppData\Local\GG\Application\ggapp.exe[5332] GDI32.dll!SetStretchBltMode + 256 7629745C 7 Bytes JMP 57A1EEEA C:\Users\Dorota\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Program Files\Opera\32.0.1948.25\opera.exe[5604] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 000701F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[5604] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[6628] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 00A301F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 00A303FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, B4, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, B7, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, B4, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, B5, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, B6, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, B5, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, B6, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, B4, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, B5, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, B6, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, B7, 9D, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[6876] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 009D01F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 009D03FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, DC, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, DF, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, DC, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, DD, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, DE, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, DD, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, DE, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, DC, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, DD, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, DE, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, DF, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7204] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 00EF01F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 00EF03FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, BC, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, BF, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, BC, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, BD, E5, 00] {TEST AL, 0xbd; IN EAX, 0x0} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, BE, E5, 00] {TEST AL, 0xbe; IN EAX, 0x0} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, BD, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, BE, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, BC, E5, 00] {TEST AL, 0xbc; IN EAX, 0x0} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, BD, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, BE, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, BF, E5, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[7360] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 009D01F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 009D03FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, 04, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, 07, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, 04, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, 05, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, 06, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, 05, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, 06, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, 04, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, 05, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, 06, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, 07, 97, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8064] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!LdrLoadDll 77529378 5 Bytes JMP 006801F8 .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!LdrUnloadDll 7753B680 5 Bytes JMP 006803FC .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtCreateFile + 6 7756426A 4 Bytes [28, 04, 62, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtCreateFile + B 7756426F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtMapViewOfSection + 6 775649BA 4 Bytes [28, 07, 62, 00] {SUB [EDI], AL; BOUND EAX, [EAX]} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtMapViewOfSection + B 775649BF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenFile + 6 77564A4A 4 Bytes [68, 04, 62, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenFile + B 77564A4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenProcess + 6 77564ACA 4 Bytes [A8, 05, 62, 00] {TEST AL, 0x5; BOUND EAX, [EAX]} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenProcess + B 77564ACF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenProcessToken + B 77564ADF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenProcessTokenEx + 6 77564AEA 4 Bytes [A8, 06, 62, 00] {TEST AL, 0x6; BOUND EAX, [EAX]} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenProcessTokenEx + B 77564AEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenThread + 6 77564B3A 4 Bytes [68, 05, 62, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenThread + B 77564B3F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenThreadToken + 6 77564B4A 4 Bytes [68, 06, 62, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenThreadToken + B 77564B4F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtOpenThreadTokenEx + B 77564B5F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtQueryAttributesFile + 6 77564BEA 4 Bytes [A8, 04, 62, 00] {TEST AL, 0x4; BOUND EAX, [EAX]} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtQueryAttributesFile + B 77564BEF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtQueryFullAttributesFile + B 77564C9F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtSetInformationFile + 6 7756517A 4 Bytes [28, 05, 62, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtSetInformationFile + B 7756517F 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtSetInformationThread + 6 775651CA 4 Bytes [28, 06, 62, 00] {SUB [ESI], AL; BOUND EAX, [EAX]} .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtSetInformationThread + B 775651CF 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtUnmapViewOfSection + 6 7756546A 4 Bytes [68, 07, 62, 00] .text C:\Program Files\Opera\32.0.1948.25\opera.exe[8104] ntdll.dll!NtUnmapViewOfSection + B 7756546F 1 Byte [E2] .text C:\Program Files\BlueStacks\HD-Adb.exe[8160] kernel32.dll!SetFileCompletionNotificationModes 75FCCE0F 5 Bytes JMP 100078E0 C:\Windows\system32\LavasoftTcpService.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [743E5EFD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7439F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7439E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [743F92D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [743ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7439FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7439FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7442CB4F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [743CC840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7439D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74396853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7439687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Extension Rules 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Extension Rules\000001.dbtmp 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Extension Rules\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Extension Rules\LOG 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Extension Rules\MANIFEST-000001 41 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\sfzone_profile\Default\Top Sites-journal 512 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\Users\Dorota 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\Users\Dorota\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\Users\Dorota\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\C\Users\Dorota\AppData\Local\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-1113750723-2783305751-3862205039-1000\sfzone\snx_fs.dat 1926 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 13312 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{8264c0c6-61d1-11e5-9c99-002215f2ecb7}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{8264c0c6-61d1-11e5-9c99-002215f2ecb7}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{8264c0c6-61d1-11e5-9c99-002215f2ecb7}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----