GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-22 12:43:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS547550A9E384 rev.JE3OA60A 465,76GB Running: v6yp5wy0.exe; Driver: C:\Users\mato\AppData\Local\Temp\aftciaod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e3f00 7 bytes [00, 98, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e3f08 3 bytes [C0, 06, 02] .text ... * 109 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 404 fffff960001a2a98 15 bytes [48, B8, 44, 58, 80, 01, 80, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076d53b11 12 bytes [B8, A0, 6C, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076d57ac1 11 bytes [B8, B4, 6B, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d817b0 5 bytes [48, B8, 78, 13, 06] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000076d817b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d81800 5 bytes [48, B8, 88, 23, 06] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076d81808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d819f0 5 bytes [48, B8, 98, 21, 06] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 0000000076d819f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d81bd0 5 bytes [48, B8, F8, 22, 06] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000076d81bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000076d827a0 6 bytes [48, B8, 54, 22, 06, 00] .text C:\Windows\Explorer.EXE[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 0000000076d827a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd5fde91 14 bytes [B8, 78, 88, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd617490 8 bytes [48, B8, E8, 87, 06, 00, 00, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd61749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1564] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd622e19 14 bytes [B8, E8, 88, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076d53b11 12 bytes [B8, A0, 6C, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076d57ac1 11 bytes [B8, B4, 6B, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d817b0 5 bytes [48, B8, 78, 13, 05] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000076d817b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d81800 5 bytes [48, B8, 88, 23, 05] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076d81808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d819f0 5 bytes [48, B8, 98, 21, 05] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 0000000076d819f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d81bd0 5 bytes [48, B8, F8, 22, 05] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000076d81bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000076d827a0 6 bytes [48, B8, 54, 22, 05, 00] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 0000000076d827a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd5fde91 14 bytes [B8, 78, 88, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd617490 8 bytes [48, B8, E8, 87, 05, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd61749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1592] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd622e19 14 bytes [B8, E8, 88, 05, 00, 00, 00, ...] .text C:\Windows\SysWOW64\nethtsrv.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761f1465 2 bytes [1F, 76] .text C:\Windows\SysWOW64\nethtsrv.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761f14bb 2 bytes [1F, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000723b1a22 2 bytes [3B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000723b1ad0 2 bytes [3B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000723b1b08 2 bytes [3B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000723b1bba 2 bytes [3B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000723b1bda 2 bytes [3B, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761f1465 2 bytes [1F, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761f14bb 2 bytes [1F, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761f1465 2 bytes [1F, 76] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761f14bb 2 bytes [1F, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000076d53b11 12 bytes [B8, A0, 6C, 16, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000076d57ac1 11 bytes [B8, B4, 6B, 16, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d817b0 5 bytes [48, B8, 78, 13, 16] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000076d817b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d81800 5 bytes [48, B8, 88, 23, 16] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076d81808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d819f0 5 bytes [48, B8, 98, 21, 16] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 0000000076d819f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d81bd0 5 bytes [48, B8, F8, 22, 16] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000076d81bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000076d827a0 6 bytes [48, B8, 54, 22, 16, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 0000000076d827a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd5fde91 14 bytes [B8, 78, 88, 16, 00, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd617490 8 bytes [48, B8, E8, 87, 16, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd61749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2152] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd622e19 14 bytes [B8, E8, 88, 16, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 0000000076f300b5 3 bytes [08, 1A, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f300b9 2 bytes [50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 0000000076f303b9 3 bytes [96, 19, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 0000000076f303bd 2 bytes [50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000076f30695 3 bytes [E2, 19, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000076f30699 2 bytes [50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 0000000076f318c1 3 bytes [BC, 19, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 0000000076f318c5 2 bytes [50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f4c4dd 10 bytes [B8, 9A, 77, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f51287 7 bytes [B8, D7, 6A, 09, 00, 50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074984322 7 bytes JMP 00000001000911e5 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000074a04afa 7 bytes JMP 0000000100091229 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765c54ad 10 bytes [B8, C7, 63, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765d9d0b 8 bytes [B8, 87, 7A, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765d9d4e 9 bytes [B8, A1, 63, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769178e2 8 bytes [B8, 20, 1B, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076917bd3 8 bytes [B8, D8, 1A, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076918332 7 bytes [B8, DD, 18, 09, 00, 50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769205ba 11 bytes [B8, B3, 1B, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007692291f 11 bytes [B8, B8, 6B, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076925f74 11 bytes [B8, 68, 1B, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076926110 7 bytes [B8, B7, 18, 09, 00, 50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076926285 12 bytes [B8, 06, 6D, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007693eb96 7 bytes [B8, 0B, 6B, 09, 00, 50, C3] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 000000007693ec69 3 bytes [65, 6C, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 000000007693ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 000000007696816c 11 bytes [B8, E8, 50, 09, 00, 50, C3, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 0000000076978370 3 bytes [93, 50, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 0000000076978374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!EndTask + 1 000000007697a7ef 3 bytes [4F, 19, 09] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\USER32.dll!EndTask + 5 000000007697a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761f1465 2 bytes [1F, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761f14bb 2 bytes [1F, 76] .text ... * 2 .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 0000000076f300b5 3 bytes [08, 1A, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f300b9 2 bytes [50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 0000000076f303b9 3 bytes [96, 19, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 0000000076f303bd 2 bytes [50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000076f30695 3 bytes [E2, 19, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000076f30699 2 bytes [50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 0000000076f318c1 3 bytes [BC, 19, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 0000000076f318c5 2 bytes [50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f4c4dd 10 bytes [B8, 9A, 77, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f51287 7 bytes [B8, D7, 6A, 0A, 00, 50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074984322 7 bytes JMP 00000001000a11e5 .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000074a04afa 7 bytes JMP 00000001000a1229 .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769178e2 8 bytes [B8, 20, 1B, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076917bd3 8 bytes [B8, D8, 1A, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076918332 7 bytes [B8, DD, 18, 0A, 00, 50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000076918b52 8 bytes [B8, 04, 56, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769205ba 11 bytes [B8, B3, 1B, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007692291f 11 bytes [B8, B8, 6B, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076925f74 11 bytes [B8, 68, 1B, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076926110 7 bytes [B8, B7, 18, 0A, 00, 50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076926285 12 bytes [B8, 06, 6D, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007693eb96 7 bytes [B8, 0B, 6B, 0A, 00, 50, C3] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 000000007693ec69 3 bytes [65, 6C, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 000000007693ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 000000007696816c 11 bytes [B8, E8, 50, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 0000000076978370 3 bytes [93, 50, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 0000000076978374 5 bytes [50, C3, 90, 90, 90] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!EndTask + 1 000000007697a7ef 3 bytes [4F, 19, 0A] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\USER32.dll!EndTask + 5 000000007697a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765c54ad 10 bytes [B8, C7, 63, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765d9d0b 8 bytes [B8, 87, 7A, 0A, 00, 50, C3, ...] .text C:\Users\mato\AppData\Local\Temp\Foxit Reader Updater.exe[3932] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765d9d4e 9 bytes [B8, A1, 63, 0A, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 0000000076f300b5 3 bytes [08, 1A, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f300b9 2 bytes [50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 0000000076f303b9 3 bytes [96, 19, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 0000000076f303bd 2 bytes [50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000076f30695 3 bytes [E2, 19, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000076f30699 2 bytes [50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 0000000076f318c1 3 bytes [BC, 19, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 0000000076f318c5 2 bytes [50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f4c4dd 10 bytes [B8, 9A, 77, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f51287 7 bytes [B8, D7, 6A, 1D, 00, 50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074984322 7 bytes JMP 00000001001d11e5 .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000074a04afa 7 bytes JMP 00000001001d1229 .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000769178e2 8 bytes [B8, 20, 1B, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076917bd3 8 bytes [B8, D8, 1A, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076918332 7 bytes [B8, DD, 18, 1D, 00, 50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000769205ba 11 bytes [B8, B3, 1B, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007692291f 11 bytes [B8, B8, 6B, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076925f74 11 bytes [B8, 68, 1B, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076926110 7 bytes [B8, B7, 18, 1D, 00, 50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076926285 12 bytes [B8, 06, 6D, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007693eb96 7 bytes [B8, 0B, 6B, 1D, 00, 50, C3] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 000000007693ec69 3 bytes [65, 6C, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 000000007693ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 000000007696816c 11 bytes [B8, E8, 50, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 0000000076978370 3 bytes [93, 50, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 0000000076978374 5 bytes [50, C3, 90, 90, 90] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!EndTask + 1 000000007697a7ef 3 bytes [4F, 19, 1D] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\USER32.dll!EndTask + 5 000000007697a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765c54ad 10 bytes [B8, C7, 63, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765d9d0b 8 bytes [B8, 87, 7A, 1D, 00, 50, C3, ...] .text C:\Users\mato\Downloads\v6yp5wy0.exe[4172] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765d9d4e 9 bytes [B8, A1, 63, 1D, 00, 50, C3, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IofCompleteRequest] [fffff8800180a6f8] \??\C:\Program Files (x86)\SpyShelter Premium\SpyShelter.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\USBSTOR -> DriverStartIo \Device\00000086 fffff88007da79c4 Device \Driver\USBSTOR \Device\00000086 fffff88007db9578 Device \Driver\WUDFRd \Device\UMDFCtrlDev-671dbea3-f95d-11e3-8cc4-5404a6b0d4c8 fffff88007dc2954 Device \Driver\USBSTOR -> DriverStartIo \Device\00000087 fffff88007da79c4 Device \Driver\USBSTOR \Device\00000087 fffff88007db9578 ---- Files - GMER 2.1 ---- File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\0\87\5C82Ed01 77234 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\0\24\C08F0d01 16955 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\1\1B\316BFd01 16563 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\1\51\A7F0Cd01 21616 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\1\68\24CDFd01 17536 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\2\E9\76755d01 21184 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\2\40\AB572d01 103155 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\4\A8\AB37Ad01 20167 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\4\B0\29B9Ad01 124831 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\5\79\C87EAd01 170688 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\6\31\05CB8d01 23501 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\7\47\B72F5d01 18780 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\7\62\1394Ad01 119967 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\8\0F\59359d01 56115 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\9\6C\8009Bd01 17047 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\9\F2\02FB0d01 20170 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\A\E6\A3BCBd01 23810 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\A\F4\E7D56d01 106788 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\B\F9\F1D1Dd01 17846 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\D\12\6F0CCd01 16955 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\D\2C\DFA00d01 51087 bytes File C:\Users\mato\AppData\Local\Mozilla\Firefox\Profiles\mzoihphy.default-1387709551934\Cache\D\3C\686B7d01 16955 bytes ---- EOF - GMER 2.1 ----