GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-28 19:34:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.AX00 931.51GB Running: devp6lhx.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kgtiapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002ff7000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002ff702f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88011341d8c 12 bytes {MOV RAX, 0xfffffa800b3b12a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe[4132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe[4132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Users\Owner\AppData\Local\DM\TinyDM.exe[5200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Users\Owner\AppData\Local\DM\TinyDM.exe[5200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\ipla\ipla.exe[5248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\ipla\ipla.exe[5248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe[5436] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe[5436] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[6700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[6700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[6956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[6956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe[7000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe[7000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\PeerManager.exe[3400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\PeerManager.exe[3400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[7968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[7968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.Helper.exe[8428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.Helper.exe[8428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.AutoUpdate.exe[8604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.AutoUpdate.exe[8604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass\TouchControl.exe[11412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\HP SimplePass\TouchControl.exe[11412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Users\Owner\AppData\Local\GG\Application\ggdrive\ggdrive.exe[19276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Users\Owner\AppData\Local\GG\Application\ggdrive\ggdrive.exe[19276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Winamp\winamp.exe[10832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Winamp\winamp.exe[10832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[14264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[14264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[14264] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000072cd11a8 2 bytes [CD, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[14264] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000072cd13a8 2 bytes [CD, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[14264] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000072cd1422 2 bytes [CD, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[14264] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000072cd1498 2 bytes [CD, 72] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800108b650] \SystemRoot\System32\Drivers\spsa.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800108b5dc] \SystemRoot\System32\Drivers\spsa.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\rundll32.exe[5692] @ C:\Windows\System32\rundll32.exe[KERNEL32.dll!LoadLibraryExW] [7fef24bc8f0] C:\Program Files (x86)\Motitags_94\bar\1.bin\HPG64.DLL IAT C:\Windows\System32\rundll32.exe[5692] @ C:\Windows\System32\rundll32.exe[KERNEL32.dll!LoadLibraryExA] [7fef24bc860] C:\Program Files (x86)\Motitags_94\bar\1.bin\HPG64.DLL IAT C:\Windows\System32\rundll32.exe[5692] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [7fef24bcbc0] C:\Program Files (x86)\Motitags_94\bar\1.bin\HPG64.DLL IAT C:\Windows\System32\rundll32.exe[5692] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [7fef24bcc50] C:\Program Files (x86)\Motitags_94\bar\1.bin\HPG64.DLL ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80080312c0 Device \FileSystem\fastfat \Fat fffffa8015b3e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9B858825-D2C6-4E27-85F0-FD19BE87EB6D} fffffa800afb32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D8015D14-D582-42D5-92FF-B44C5DDFD1D1} fffffa800afb32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{942371D0-17CD-4B8A-80FC-F5AD84230A7C} fffffa800afb32c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800b3ad2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800a7ef2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{70923415-8B08-4621-AAF7-24D755899993} fffffa800afb32c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800b3ad2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800b3ad2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80080292c0 Device \Driver\volmgr \Device\FtControl fffffa80080292c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80080292c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80080292c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80080292c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80080292c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{7AAF003C-5C30-4B24-A12B-E93C23612AB6} fffffa800afb32c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800afb32c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800b3ad2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{90726EF4-EAEA-4483-87C7-EE239CC129BA} fffffa800afb32c0 ---- Processes - GMER 2.1 ---- Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\auth.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05 0000000010000000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\burnlib.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000000370000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\dsp_sps.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000000240000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\enc_fhgaac.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 00000000003e0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\enc_flac.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 00000000003f0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\enc_lame.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000000680000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\enc_wav.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000000690000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\enc_wma.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 00000000006a0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_crasher.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 00000000006b0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_ff.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 00000000006c0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_hotkeys.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 00000000006d0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_jumpex.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000001f00000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_ml.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000001f10000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_orgler.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000001f20000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_tray.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000001f30000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_avi.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000001f40000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_cdda.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000001f50000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_dshow.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000001f60000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_flac.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000001f70000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_flv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000001f80000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_linein.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000001f90000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_midi.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000001fa0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_mkv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000001fb0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_mod.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000001fc0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_mp3.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000002490000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_mp4.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 00000000024a0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_nsv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 00000000024b0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_swf.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 00000000024c0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_vorbis.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 00000000024d0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_wave.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 00000000024e0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_addons.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002930000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_autotag.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002940000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_bookmarks.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002950000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_devices.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002960000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_disc.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002970000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_downloads.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002980000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_history.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002990000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_impex.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 00000000029a0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_local.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 00000000029b0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_nowplaying.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 00000000029d0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_online.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 00000000029e0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_orb.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 00000000029f0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_playlists.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002a00000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_plg.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000002a10000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_pmp.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000002a20000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_rg.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014- 0000000002a30000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_transcode.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002a40000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_wire.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002a50000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ombrowser.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:30) 0000000002a60000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\out_disk.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000002a70000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\out_ds.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000002a80000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\out_wave.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000002a90000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\playlist.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000002aa0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_activesync.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:31) 0000000002ab0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_android.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:31) 0000000002ac0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_ipod.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000002ad0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_njb.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002ae0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_p4s.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002af0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_usb.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002b00000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\pmp_wifi.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000002b10000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\tagz.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05 0000000002b20000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\vis_avs.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002b30000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\vis_milk2.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2014-05-28 19:51:31) 0000000002b50000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\vis_nsfs.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] 0000000002b80000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\winamp.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](201 0000000002b90000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\winampa.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832](2 0000000002bf0000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\enc_vorbis.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Nullsoft Ogg Vorbis Encoder/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c00000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_classicart.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Album Art Viewer/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c10000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_find_on_disk.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Find File On Disk/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c20000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_nopro.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Lite-n Winamp Preferences/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c30000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_skinmanager.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Skin Manager/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c40000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_timerestore.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Time Restore & Autoplay/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c50000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\gen_undo.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Playlist Undo/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c60000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_wav.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Waveform Wrapper/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c70000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_wm.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (Dekoder Windows Media/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c80000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\in_wv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (WavPack Decoder/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002c90000 Library C:\Users\Owner\AppData\Local\Temp\WLZF4C1.tmp\ml_enqplay.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [10832] (ML Enqueue and Play/Pawel Porwisz)(2014-05-28 19:51:31) 0000000002ca0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d439c624b Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d439c624b (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9C9757A5-6992-9BB8-47C0-F3E634860ABD} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@iampbekgmlmpppbefj 0x6A 0x61 0x70 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@hacghcpgejhlgfdd 0x6A 0x61 0x70 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@iaabjblgfpmmjnecln 0x63 0x61 0x6C 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@dbadekdddlnaiaicmniipkojalglaklgjkfdhiea 0x68 0x61 0x68 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@jbadekdddlnaiaicmniimlkleejnelcdcmmjagfidbjcpmijggne 0x68 0x61 0x68 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@dbadekdddlnaiaicmniicenmofnhalcibenkojgo 0x6A 0x61 0x63 0x61 ... ---- EOF - GMER 2.1 ----