GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-23 22:18:03 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev. 0,00MB Running: wp3kg036.exe; Driver: C:\Users\JAREK\AppData\Local\Temp\ugloypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB1F4DAD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xAF570806] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAlpcSendWaitReceivePort [0xB1F5083A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB1F4E5B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB1F5A6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB1F5A704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB1F5A89E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB1F5A626] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0xAF570BE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB1F5A66E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0xAF570E70] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB1F5A858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB1F4F3A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB1F4DB3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwDuplicateObject [0xAF57105E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xAF5708DE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwLoadDriver [0xAF56DA6E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xAF570CC0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB1F4DBA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB1F52FE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB1F4FEE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB1F5A6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB1F5A726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB1F5A8C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB1F5A64C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB1F524EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB1F5A7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB1F5A696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB1F528D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB1F5A87C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xAF570A5E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB1F4FCFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB1F4F854] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwReplyWaitReceivePort [0xB1F54F0E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwReplyWaitReceivePortEx [0xB1F5080E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB1F4DC08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB1F4DC6E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0xAF570DBC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB1F4D7C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB1F4D994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB1F4D922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB1F4F56C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB1F4F6CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB1F4DA1C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0xAF570B2C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB1F4F1FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xAF56DA9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB1F4DCD4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0xAF570990] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0xAF570F5A] INT 0x51 ? A3F727D0 INT 0x52 ? A4465CD0 INT 0x61 ? A3F72A50 INT 0x62 ? A23062D0 INT 0x72 ? A2306550 INT 0x82 ? A2306A50 INT 0x92 ? A4465050 INT 0xA0 ? A44657D0 INT 0xA1 ? A3F72550 INT 0xB0 ? A4465A50 INT 0xB1 ? A2306CD0 INT 0xB2 ? A23067D0 INT 0xB3 ? A4465550 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D E30F3790 4 Bytes [D6, DA, F4, B1] .text ntkrnlpa.exe!KeSetEvent + 131 E30F37B4 4 Bytes [06, 08, 57, AF] {PUSH ES; OR [EDI-0x51], DL} .text ntkrnlpa.exe!KeSetEvent + 181 E30F3804 4 Bytes [3A, 08, F5, B1] .text ntkrnlpa.exe!KeSetEvent + 191 E30F3814 4 Bytes [B4, E5, F4, B1] .text ntkrnlpa.exe!KeSetEvent + 1D1 E30F3854 8 Bytes [B8, A6, F5, B1, 04, A7, F5, ...] .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0xA754C774] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xCCF7F300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xCCFC2300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] kernel32.dll!SetUnhandledExceptionFilter 76D1A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 00CE01F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 00CE03FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, D4, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, D7, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, D4, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, D5, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenProcessToken + 6 77A74A36 4 Bytes CALL 76A81310 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, D6, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, D5, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, D6, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenThreadTokenEx + 6 77A74AB6 4 Bytes CALL 76A81391 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, D4, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtQueryFullAttributesFile + 6 77A74BF6 4 Bytes CALL 76A814CF C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, D5, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, D6, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, D7, C8, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[1680] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3484] kernel32.dll!SetUnhandledExceptionFilter 76D1A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[3604] kernel32.dll!LoadLibraryExW 76D19374 7 Bytes JMP 00D5F182 C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4180] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 000701F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4180] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 000703FC .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!SetScrollRange 76BFD185 5 Bytes JMP 011D8919 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!GetScrollInfo 76BFF073 5 Bytes JMP 011D88AC C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!ShowScrollBar 76BFF8AE 5 Bytes JMP 011D88DF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!SetScrollInfo 76C071D8 5 Bytes JMP 011D8950 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!EnableScrollBar 76C1AF53 5 Bytes JMP 011D8984 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!GetScrollPos 76C2337D 2 Bytes JMP 011D8887 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!GetScrollPos + 3 76C23380 2 Bytes [5B, 8A] .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!GetScrollRange 76C234A5 5 Bytes JMP 011D884F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4300] USER32.dll!SetScrollPos 76C23602 5 Bytes JMP 011D882A C:\Program Files\CCleaner\CCleaner.exe .text C:\HDD Reg\HDD Regenerator.exe[4368] kernel32.dll!VirtualProtect 76CF1DC3 5 Bytes JMP 00B16091 C:\HDD Reg\HDD Regenerator.exe .text C:\HDD Reg\HDD Regenerator.exe[4368] kernel32.dll!OutputDebugStringA 76D303D4 5 Bytes JMP 00B1605B C:\HDD Reg\HDD Regenerator.exe .text C:\HDD Reg\HDD Regenerator.exe[4404] kernel32.dll!VirtualProtect 76CF1DC3 5 Bytes JMP 00B16091 C:\HDD Reg\HDD Regenerator.exe .text C:\HDD Reg\HDD Regenerator.exe[4404] kernel32.dll!OutputDebugStringA 76D303D4 5 Bytes JMP 00B1605B C:\HDD Reg\HDD Regenerator.exe .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 00CD01F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 00CD03FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, B0, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, B3, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, B0, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, B1, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenProcessToken + 6 77A74A36 4 Bytes CALL 76A811EC C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, B2, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, B1, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, B2, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenThreadTokenEx + 6 77A74AB6 4 Bytes CALL 76A8126D C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, B0, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtQueryFullAttributesFile + 6 77A74BF6 4 Bytes CALL 76A813AB C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, B1, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, B2, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, B3, C7, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4416] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 007301F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 007303FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, 74, 21, 00] {SUB [ECX+0x0], DH} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, 77, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, 74, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, 75, 21, 00] {TEST AL, 0x75; AND [EAX], EAX} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, 76, 21, 00] {TEST AL, 0x76; AND [EAX], EAX} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, 75, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, 76, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, 74, 21, 00] {TEST AL, 0x74; AND [EAX], EAX} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, 75, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, 76, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, 77, 21, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4424] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 008F01F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 008F03FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, 8C, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, 8F, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, 8C, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, 8D, 89, 00] {TEST AL, 0x8d; MOV [EAX], EAX} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, 8E, 89, 00] {TEST AL, 0x8e; MOV [EAX], EAX} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, 8D, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, 8E, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, 8C, 89, 00] {TEST AL, 0x8c; MOV [EAX], EAX} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, 8D, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, 8E, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, 8F, 89, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4452] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 003501F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 003503FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, A4, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, A7, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, A4, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, A5, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, A6, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, A5, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, A6, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, A4, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, A5, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, A6, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, A7, 2F, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[4464] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 009E01F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 009E03FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, F0, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, F3, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, F0, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, F1, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, F2, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, F1, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, F2, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, F0, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, F1, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, F2, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, F3, 98, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[5736] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!LdrLoadDll 77A39358 5 Bytes JMP 00DC01F8 .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!LdrUnloadDll 77A4B630 5 Bytes JMP 00DC03FC .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtCreateFile + 6 77A741C6 4 Bytes [28, 4C, D2, 00] {SUB [EDX+EDX*8+0x0], CL} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtCreateFile + B 77A741CB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtMapViewOfSection + 6 77A74916 4 Bytes [28, 4F, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtMapViewOfSection + B 77A7491B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenFile + 6 77A749A6 4 Bytes [68, 4C, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenFile + B 77A749AB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenProcess + 6 77A74A26 4 Bytes [A8, 4D, D2, 00] {TEST AL, 0x4d; ROL [EAX], CL} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenProcess + B 77A74A2B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenProcessToken + 6 77A74A36 4 Bytes CALL 76A81C88 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenProcessToken + B 77A74A3B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenProcessTokenEx + 6 77A74A46 4 Bytes [A8, 4E, D2, 00] {TEST AL, 0x4e; ROL [EAX], CL} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenProcessTokenEx + B 77A74A4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenThread + 6 77A74A96 4 Bytes [68, 4D, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenThread + B 77A74A9B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenThreadToken + 6 77A74AA6 4 Bytes [68, 4E, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenThreadToken + B 77A74AAB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenThreadTokenEx + 6 77A74AB6 4 Bytes CALL 76A81D09 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtOpenThreadTokenEx + B 77A74ABB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtQueryAttributesFile + 6 77A74B46 4 Bytes [A8, 4C, D2, 00] {TEST AL, 0x4c; ROL [EAX], CL} .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtQueryAttributesFile + B 77A74B4B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtQueryFullAttributesFile + 6 77A74BF6 4 Bytes CALL 76A81E47 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtQueryFullAttributesFile + B 77A74BFB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtSetInformationFile + 6 77A750D6 4 Bytes [28, 4D, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtSetInformationFile + B 77A750DB 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtSetInformationThread + 6 77A75126 4 Bytes [28, 4E, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtSetInformationThread + B 77A7512B 1 Byte [E2] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtUnmapViewOfSection + 6 77A753C6 4 Bytes [68, 4F, D2, 00] .text C:\Program Files\Opera\32.0.1948.31\opera.exe[6120] ntdll.dll!NtUnmapViewOfSection + B 77A753CB 1 Byte [E2] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74677817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746CA6CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7467BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7466F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7466E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746A8305] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7467DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7466FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7466FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746FCC10] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7469C840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7466D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74666853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7466687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll IAT C:\Windows\Explorer.EXE[3632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74672AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19466_none_9e569fe0ca125e1d\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs A19581F8 AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys Device \Driver\usbuhci \Device\USBPDO-0 A3F50440 Device \Driver\usbuhci \Device\USBPDO-1 A3F50440 Device \Driver\usbuhci \Device\USBPDO-2 A3F50440 Device \Driver\usbehci \Device\USBPDO-3 A40DE440 Device \Driver\usbuhci \Device\USBPDO-4 A3F50440 Device \Driver\tdx \Device\Tcp aswStmXP.sys AttachedDevice \Driver\tdx \Device\Tcp aswRdr.sys Device \Driver\usbuhci \Device\USBPDO-5 A3F50440 Device \Driver\usbuhci \Device\USBPDO-6 A3F50440 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 ngvss.sys Device \Driver\usbehci \Device\USBPDO-7 A40DE440 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 ngvss.sys Device \Driver\cdrom \Device\CdRom0 A40A31F8 Device \Driver\iaStor \Device\Ide\iaStor0 [A76AD8D0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [A76AD8D0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [A76AD8D0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 ngvss.sys Device \Driver\tdx \Device\RawIp6 aswStmXP.sys Device \Driver\tdx \Device\Tcp6 aswStmXP.sys Device \Driver\netbt \Device\NetBt_Wins_Export A5CFF1F8 Device \Driver\Smb \Device\NetbiosSmb A5CD01F8 Device \Driver\tdx \Device\Tdx aswStmXP.sys Device \Driver\iScsiPrt \Device\RaidPort0 A408A440 Device \Driver\tdx \Device\Udp aswStmXP.sys Device \Driver\tdx \Device\RawIp aswStmXP.sys Device \Driver\netbt \Device\NetBT_Tcpip_{11BBDBD4-8923-49E8-88ED-A4B4138BD30C} A5CFF1F8 Device \Driver\usbuhci \Device\USBFDO-0 A3F50440 Device \Driver\usbuhci \Device\USBFDO-1 A3F50440 Device \Driver\tdx \Device\Udp6 aswStmXP.sys Device \Driver\usbuhci \Device\USBFDO-2 A3F50440 Device \Driver\usbehci \Device\USBFDO-3 A40DE440 Device \Driver\usbuhci \Device\USBFDO-4 A3F50440 Device \Driver\usbuhci \Device\USBFDO-5 A3F50440 Device \Driver\usbuhci \Device\USBFDO-6 A3F50440 Device \Driver\usbehci \Device\USBFDO-7 A40DE440 Device \Driver\netbt \Device\NetBT_Tcpip_{B0484594-EE3D-4ED8-A675-68B130935E62} A5CFF1F8 Device \FileSystem\cdfs \Cdfs D5AD61F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556c2603e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556c2603e@c065999d06dc 0x7E 0xF5 0xD1 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556c2603e@44d4e0aca059 0xE1 0x9C 0x9B 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556c2603e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556c2603e@c065999d06dc 0x7E 0xF5 0xD1 0xFF ... Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556c2603e@44d4e0aca059 0xE1 0x9C 0x9B 0x33 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----