GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-16 12:34:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000056 OCZ-VERT rev.1.37 167,68GB Running: gmer.exe; Driver: C:\Users\TJRP7\AppData\Local\Temp\kwddykow.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000076ea000c 1 byte [C3] .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000076f2f8ea 5 bytes JMP 0000000176edd5c1 .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2748] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000076ea000c 1 byte [C3] .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000076f2f8ea 5 bytes JMP 0000000176edd5c1 .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000076ea000c 1 byte [C3] .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000076f2f8ea 5 bytes JMP 0000000176edd5c1 .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\TJRP7\AppData\Roaming\Spotify\Spotify.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[4004] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74d9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74d9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74e18ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74d748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74e187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74e18978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74e18698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74e18a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74d8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74d968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74e18f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74e18ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74e1865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74d8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74d9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74e18e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5136] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74e185f1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4728:4900] 000007fefa982bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4728:5052] 000007fef7aa5124 ---- Processes - GMER 2.1 ---- Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (Python Core/Python Software Foundation)(2015-03-16 08:05:09) 000000001e000000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001e8c0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 000000001e7a0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000000240000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 00000000002b0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 0000000010000000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001e800000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 00000000004a0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000002c30000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wxbase294u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (wxWidgets for MSW/wxWidgets development team)(2015-03-16 08:05:09) 0000000002d60000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wxbase294u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (wxWidgets for MSW/wxWidgets development team)(2015-03-16 08:05:09) 0000000000370000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wxmsw294u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (wxWidgets for MSW/wxWidgets development team)(2015-03-16 08:05:09) 0000000002f50000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wxmsw294u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (wxWidgets for MSW/wxWidgets development team)(2015-03-16 08:05:09) 00000000033f0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 0000000003e30000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 0000000003f00000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wxmsw294u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (wxWidgets for MSW/wxWidgets development team)(2015-03-16 08:05:09) 0000000002460000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 00000000041f0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000004300000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 00000000043c0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001d100000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000000580000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001d1a0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001ea10000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001ec80000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 0000000001fc0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001ea40000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001e9b0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001eaa0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001e980000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000002500000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wxmsw294u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136] (wxWidgets for MSW/wxWidgets development team)(2015-03-16 08:05:09) 0000000004020000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 0000000003fd0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\_yappi.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 0000000004040000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 000000001ebf0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 00000000055b0000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000005540000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 000000001eb90000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000005570000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:09) 000000001eb60000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001ec20000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 000000001ed40000 Library C:\Users\TJRP7\AppData\Local\Temp\_MEI35322\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [5136](2015-03-16 08:05:08) 0000000005580000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----