GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-04 21:21:15 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD753LJ rev.1AA01113 698,64GB Running: urthljld.exe; Driver: C:\Users\Jelon\AppData\Local\Temp\uwrdykod.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\Jelon\AppData\Roaming\Spotify\spotify.exe[2492] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007725000c 1 byte [C3] .text C:\Users\Jelon\AppData\Roaming\Spotify\spotify.exe[2492] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000772df962 5 bytes JMP 000000017728d579 .text C:\Users\Jelon\AppData\Roaming\Spotify\spotify.exe[2492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Spotify\spotify.exe[2492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text D:\LOLReplay\LOLRecorder.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text D:\LOLReplay\LOLRecorder.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Users\Jelon\AppData\Roaming\Dropbox\bin\Dropbox.exe[1360] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Dropbox\bin\Dropbox.exe[1360] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Users\Jelon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\Users\Jelon\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Jelon\AppData\Roaming\Dropbox\bin\Dropbox.exe [1360](2014-09-13 00:20:58) 0000000003ff0000 Library c:\users\jelon\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpfthqbr.dll (*** suspicious ***) @ C:\Users\Jelon\AppData\Roaming\Dropbox\bin\Dropbox.exe [1360](2014-11-04 19:41:21) 0000000004430000 Library C:\Users\Jelon\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Jelon\AppData\Roaming\Dropbox\bin\Dropbox.exe [1360](2013-08-23 19:01:44) 0000000063200000 Library C:\Users\Jelon\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Jelon\AppData\Roaming\Dropbox\bin\Dropbox.exe [1360] (ICU Data DLL/The ICU Project)(2013-08-23 19:01:42) 0000000062700000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{f95b29c7-b81b-46c9-aa05-25639eb97796}@Dhcpv6MaxLeaseExpireTime 1415132346 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{f95b29c7-b81b-46c9-aa05-25639eb97796}@Dhcpv6LeaseObtainedTime 1415132286 ---- EOF - GMER 2.1 ----