GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-15 22:03:40 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001e ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: uogqem3s.exe; Driver: C:\Users\acer\AppData\Local\Temp\pxldapob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, 15, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, 15, FF, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, 15, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[3964] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, 63, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, 63, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, 63, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6844] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, 93, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, 93, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, 93, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[5664] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, 65, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, 65, FF, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, 65, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[6800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, 2A, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, 2A, FF, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, 2A, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[2168] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, FB, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, FB, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, FB, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[1700] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe892c132f 8 bytes [50, 6E, 68, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffe892c1421 8 bytes [40, 6E, 68, FF, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffe892c16b0 8 bytes [20, 6E, 68, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffe892c1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe892c230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe89366260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe89366560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe893665c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe89366800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe89366960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe89367770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe89367d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe89368fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000055b61462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 0000000055b616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 0000000055b617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000055b6181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Opera\42.0.2393.94\opera.exe[4652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000055b61857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [8348] entry point in ".rdata" section 000000006dfef7c0 ---- Threads - GMER 2.2 ---- Thread System [4:5716] fffff80b14596900 Thread C:\WINDOWS\system32\csrss.exe [888:1392] ffff904af33a6c20 ---- Services - GMER 2.2 ---- Service C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe (*** hidden *** ) [MANUAL] Disc Soft Lite Bus Service <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{69BB4934-7449-411F-9F75-3A670B0268CC}\Connection@Name isatap.{7FB674E1-3228-4D18-98B4-973624A8FB98} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1087404337 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a4db3071fd9b Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{69BB4934-7449-411F-9F75-3A670B0268CC}@InterfaceName isatap.{7FB674E1-3228-4D18-98B4-973624A8FB98} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{69BB4934-7449-411F-9F75-3A670B0268CC}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{69BB4934-7449-411F-9F75-3A670B0268CC}@DefunctTimestamp 0xCB 0xD3 0x7B 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5020 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2214 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7fb674e1-3228-4d18-98b4-973624a8fb98}@LeaseObtainedTime 1484512105 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7fb674e1-3228-4d18-98b4-973624a8fb98}@T1 1484512376 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7fb674e1-3228-4d18-98b4-973624a8fb98}@T2 1484512601 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7fb674e1-3228-4d18-98b4-973624a8fb98}@LeaseTerminatesTime 1484512705 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x18 0x7F 0x9C 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x18 0xE7 0x60 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x18 0x17 0xD8 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Group _Early-Launch Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@ImagePath \SystemRoot\system32\drivers\WdBoot.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@ImagePath \SystemRoot\system32\drivers\WdFilter.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 3517 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Steam\Steam.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7B81E9E3-99D9-4708-8D30-17D332FA944B}@LastAccessedTime 0x10 0xFE 0xBB 0xBE ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7B81E9E3-99D9-4708-8D30-17D332FA944B}@LaunchCount 2 ---- EOF - GMER 2.2 ----