GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-17 00:05:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SH103S3120G rev.0953 111,79GB Running: 8mw6vq41.exe; Driver: C:\Users\tomicher\AppData\Local\Temp\pfrdrkod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fa1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fa1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fa1431 2 bytes JMP 74ec8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fa144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fa14dd 2 bytes JMP 74ec88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fa14f5 2 bytes JMP 74ec8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fa150d 2 bytes JMP 74ec87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fa1525 2 bytes JMP 74ec8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fa153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fa1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fa156d 2 bytes JMP 74ec9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fa1585 2 bytes JMP 74ec8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fa159d 2 bytes JMP 74ec877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fa15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fa15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fa16b2 2 bytes JMP 74ec8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fa16bd 2 bytes JMP 74ec8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000076fa1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000076fa1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000076fa1431 2 bytes JMP 74ec8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 0000000076fa144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 0000000076fa14dd 2 bytes JMP 74ec88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076fa14f5 2 bytes JMP 74ec8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 0000000076fa150d 2 bytes JMP 74ec87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076fa1525 2 bytes JMP 74ec8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 0000000076fa153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000076fa1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 0000000076fa156d 2 bytes JMP 74ec9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000076fa1585 2 bytes JMP 74ec8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 0000000076fa159d 2 bytes JMP 74ec877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 0000000076fa15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 0000000076fa15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 0000000076fa16b2 2 bytes JMP 74ec8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4164] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 0000000076fa16bd 2 bytes JMP 74ec8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Magic Mouse Utilities\MagicMouseUtilities.exe[4724] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000773c000c 1 byte [C3] .text C:\Program Files (x86)\Magic Mouse Utilities\MagicMouseUtilities.exe[4724] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007744fbaa 5 bytes JMP 0000000177409c63 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fa1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fa1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fa1431 2 bytes JMP 74ec8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fa144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fa14dd 2 bytes JMP 74ec88c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fa14f5 2 bytes JMP 74ec8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fa150d 2 bytes JMP 74ec87ba C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fa1525 2 bytes JMP 74ec8b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fa153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fa1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fa156d 2 bytes JMP 74ec9089 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fa1585 2 bytes JMP 74ec8bea C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fa159d 2 bytes JMP 74ec877e C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fa15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fa15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fa16b2 2 bytes JMP 74ec8f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fa16bd 2 bytes JMP 74ec8713 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fa1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fa1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fa1431 2 bytes JMP 74ec8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fa144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fa14dd 2 bytes JMP 74ec88c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fa14f5 2 bytes JMP 74ec8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fa150d 2 bytes JMP 74ec87ba C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fa1525 2 bytes JMP 74ec8b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fa153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fa1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fa156d 2 bytes JMP 74ec9089 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fa1585 2 bytes JMP 74ec8bea C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fa159d 2 bytes JMP 74ec877e C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fa15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fa15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fa16b2 2 bytes JMP 74ec8f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fa16bd 2 bytes JMP 74ec8713 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fa1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fa1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fa1431 2 bytes JMP 74ec8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fa144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fa14dd 2 bytes JMP 74ec88c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fa14f5 2 bytes JMP 74ec8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fa150d 2 bytes JMP 74ec87ba C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fa1525 2 bytes JMP 74ec8b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fa153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fa1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fa156d 2 bytes JMP 74ec9089 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fa1585 2 bytes JMP 74ec8bea C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fa159d 2 bytes JMP 74ec877e C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fa15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fa15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fa16b2 2 bytes JMP 74ec8f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[5332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fa16bd 2 bytes JMP 74ec8713 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{73EF11CE-3A51-408F-B33A-3262CCF8701A}\offreg.828.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [828](2015-10-16 19:33:58) 000007fefb8d0000 Library c:\users\tomicher\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5n20rj.dll (*** suspicious ***) @ C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [4164](2015-10-16 19:21:20) 0000000068c20000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986000a4b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986000a4b@001f5bf9d50d 0x7F 0x5F 0xA1 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986000a4b@78ca39f760f3 0x7F 0xBA 0xB5 0x53 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986000a4b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986000a4b@001f5bf9d50d 0x7F 0x5F 0xA1 0xD2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986000a4b@78ca39f760f3 0x7F 0xBA 0xB5 0x53 ... ---- EOF - GMER 2.1 ----