GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-19 11:21:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005f TOSHIBA_ rev.AX0P 931,51GB Running: 936up9r8.exe; Driver: C:\Users\Adam\AppData\Local\Temp\aftcqaow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c91401 2 bytes JMP 759ab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c91419 2 bytes JMP 759ab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c91431 2 bytes JMP 75a29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c9144a 2 bytes CALL 759848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c914dd 2 bytes JMP 75a2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c914f5 2 bytes JMP 75a28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c9150d 2 bytes JMP 75a28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c91525 2 bytes JMP 75a28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c9153d 2 bytes JMP 7599fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c91555 2 bytes JMP 759a6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c9156d 2 bytes JMP 75a290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c91585 2 bytes JMP 75a28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c9159d 2 bytes JMP 75a287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c915b5 2 bytes JMP 7599fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c915cd 2 bytes JMP 759ab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c916b2 2 bytes JMP 75a28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c916bd 2 bytes JMP 75a28759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000074b911a8 2 bytes [B9, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 0000000074b9127d 2 bytes CALL 759814c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000074b91310 2 bytes CALL 759814c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000074b913a8 2 bytes [B9, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074b91422 2 bytes [B9, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1392] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074b91498 2 bytes [B9, 74] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c91401 2 bytes JMP 759ab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c91419 2 bytes JMP 759ab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c91431 2 bytes JMP 75a29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c9144a 2 bytes CALL 759848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c914dd 2 bytes JMP 75a2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c914f5 2 bytes JMP 75a28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c9150d 2 bytes JMP 75a28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c91525 2 bytes JMP 75a28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c9153d 2 bytes JMP 7599fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c91555 2 bytes JMP 759a6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c9156d 2 bytes JMP 75a290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c91585 2 bytes JMP 75a28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c9159d 2 bytes JMP 75a287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c915b5 2 bytes JMP 7599fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c915cd 2 bytes JMP 759ab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c916b2 2 bytes JMP 75a28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c916bd 2 bytes JMP 75a28759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4188] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075988791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- EOF - GMER 2.2 ----