GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-28 02:31:36 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 Samsung_SSD_840_EVO_120GB rev.EXT0BB6Q 111,79GB Running: sjl9934j.exe; Driver: C:\Users\Mruvek\AppData\Local\Temp\kwrdrpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\mlwps.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007766000c 1 byte [C3] .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000776ef8ea 5 bytes JMP 000000017769d5c1 .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\spotify.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe[3940] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2192] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075e98791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077061401 2 bytes JMP 75ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077061419 2 bytes JMP 75ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077061431 2 bytes JMP 75f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007706144a 2 bytes CALL 75e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770614dd 2 bytes JMP 75f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770614f5 2 bytes JMP 75f38978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007706150d 2 bytes JMP 75f38698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077061525 2 bytes JMP 75f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007706153d 2 bytes JMP 75eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077061555 2 bytes JMP 75eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007706156d 2 bytes JMP 75f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077061585 2 bytes JMP 75f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007706159d 2 bytes JMP 75f3865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770615b5 2 bytes JMP 75eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770615cd 2 bytes JMP 75ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770616b2 2 bytes JMP 75f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mruvek\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770616bd 2 bytes JMP 75f385f1 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!memcpy] [7feff16fd50] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_CxxThrowException] [7feff1ba778] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!__CxxFrameHandler3] [7feff163be0] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!wcscat_s] [7feff188c94] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!memmove_s] [7feff188c74] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!calloc] [7feff163de8] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!toupper] [7feff1619d4] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_vsnwprintf] [7feff163ef0] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!??2@YAPEAX_K@Z] [7feff1610ac] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!memcpy_s] [7feff1610e0] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_purecall] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!realloc] [7feeec9de24] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_errno] [7feeec9d1e8] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [7feeec9d208] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_unlock] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!__dllonexit] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_lock] [7feef789ac0] C:\Windows\system32\EhStorShell.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!_onexit] [7feef789afc] C:\Windows\system32\EhStorShell.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[msvcrt.dll!memcmp] [7feef789b10] C:\Windows\system32\EhStorShell.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!RtlVirtualUnwind] [77371510] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!OutputDebugStringA] [77365a40] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!RtlCaptureContext] [773651d0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!RtlLookupFunctionEntry] [77364750] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [77371950] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!UnhandledExceptionFilter] [773633c0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetCurrentProcess] [77365b00] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!TerminateProcess] [77366440] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetCurrentProcessId] [77363f20] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!QueryPerformanceCounter] [77369040] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!Sleep] [77363a20] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!FindResourceW] [773640d0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!FreeLibrary] [7736b170] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!LoadResource] [773eb7e0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!LoadLibraryExW] [77363400] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetModuleHandleW] [773659c0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!SizeofResource] [77366580] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetLastError] [77365c40] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetProcAddress] [773714f0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!lstrcmpiW] [77368db0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!CompareStringW] [77368d90] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetLogicalDrives] [77365ae0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetDriveTypeW] [773717a0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!CompareStringOrdinal] [77372060] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!DisableThreadLibraryCalls] [7735d870] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!GetThreadLocale] [773a8c00] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!SetThreadLocale] [77360950] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[USER32.dll!CharNextW] [7feff18a8c0] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[USER32.dll!LoadStringW] [7feff188d34] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[USER32.dll!InsertMenuW] [7feff188e50] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[USER32.dll!SetMenuDefaultItem] [7feff188e78] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[USER32.dll!UnregisterClassA] [7feff188d14] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!StringFromGUID2] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!CoGetMalloc] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!PropVariantClear] [7feef7838bc] C:\Windows\system32\EhStorShell.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!CoCreateInstance] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!CoTaskMemAlloc] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!CoTaskMemFree] [4a5bc7c700000000] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ole32.dll!CoTaskMemRealloc] [200000000] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SETUPAPI.dll!SetupDiDestroyDeviceInfoList] [7fef8ba5b18] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SETUPAPI.dll!SetupDiEnumDeviceInterfaces] [7fef8ba5984] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SETUPAPI.dll!SetupDiGetClassDevsExW] [7fef8ba662c] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegSetValueExW] [77364f10] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegQueryInfoKeyW] [77366bc0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegCloseKey] [77353c40] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegEnumKeyExW] [77353c80] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegOpenKeyExW] [77398a80] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegDeleteValueW] [7736a190] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[ADVAPI32.dll!RegCreateKeyExW] [77372100] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SHELL32.dll!SHCreateDefaultExtractIcon] [7feff161520] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SHELL32.dll!SHCreateItemFromIDList] [7feff168ea0] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SHELL32.dll!SHGetIDListFromObject] [7feff161500] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!PSCreateMemoryPropertyStore] [77264eec] C:\Windows\system32\USER32.dll IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!PSGetPropertyFromPropertyStorage] [0] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!PropVariantToVariant] [7fef8ba63a8] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!InitVariantFromBuffer] [7fef8ba5b78] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!PropVariantToStrRet] [7fef8ba58ac] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!PropVariantToString] [7fef8ba5a14] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[PROPSYS.dll!PropVariantCompareEx] [7fef8ba5cec] IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\system32\EhStorShell.dll[SHLWAPI.dll!SHStrDupW] [7feff1a0b58] C:\Windows\system32\msvcrt.dll ---- Processes - GMER 2.1 ---- Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:28) 000000006cf60000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000006cc50000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940](2015-02-10 21:00:30) 000000006c9d0000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000068740000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (ICU I18N DLL/The ICU Project)(2015-02-10 21:00:30) 000000004a900000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (ICU Common DLL/The ICU Project)(2015-02-10 21:00:30) 00000000043d0000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (ICU Data DLL/The ICU Project)(2015-02-10 21:00:30) 000000004ad00000 Library c:\users\mruvek\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp0f3x1s.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940](2015-02-28 01:16:37) 0000000003f50000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000006a0a0000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:26) 0000000062ce0000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000069e80000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000065310000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 000000006fc90000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940](2015-02-10 21:00:30) 0000000072b10000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:26) 0000000070e00000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000070dc0000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-02-10 21:00:24) 0000000070d70000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940](2015-02-10 21:00:28) 0000000070bf0000 Library C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Mruvek\AppData\Roaming\Dropbox\bin\Dropbox.exe [3940](2015-02-10 21:00:28) 0000000070d30000 ---- EOF - GMER 2.1 ----