GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-05 17:49:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.AX00 931.51GB Running: 4qkoz6nv.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kgtiapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fb0000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002fb002f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88010428d8c 12 bytes {MOV RAX, 0xfffffa800b0262a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[3672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[3672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[3968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[3968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[4864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[4864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe[5140] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe[5140] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[5328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[5328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe[6328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe[6328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\PeerManager.exe[6352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\PeerManager.exe[6352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[6420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[6420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Users\Owner\AppData\Local\AskPartnerNetwork\Toolbar\Updater\IDC\IdcLdr.exe[7016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Users\Owner\AppData\Local\AskPartnerNetwork\Toolbar\Updater\IDC\IdcLdr.exe[7016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[7440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[7440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[7472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe[7472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.Helper.exe[8084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.Helper.exe[8084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.AutoUpdate.exe[6512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.AutoUpdate.exe[6512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[10248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[10248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[10248] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000657311a8 2 bytes [73, 65] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[10248] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000657313a8 2 bytes [73, 65] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[10248] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000065731422 2 bytes [73, 65] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[10248] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000065731498 2 bytes [73, 65] .text C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe[38820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe[38820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass\TouchControl.exe[55860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\HP SimplePass\TouchControl.exe[55860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Users\Owner\AppData\Local\GG\Application\gghub.exe[15100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Users\Owner\AppData\Local\GG\Application\gghub.exe[15100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Users\Owner\AppData\Local\GG\Application\ggdrive\ggdrive.exe[25564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Users\Owner\AppData\Local\GG\Application\ggdrive\ggdrive.exe[25564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Users\Owner\Downloads\Programs\OTL.exe[59100] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Users\Owner\Downloads\Programs\OTL.exe[59100] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 .text C:\Program Files (x86)\Winamp\winamp.exe[70380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bb1465 2 bytes [BB, 76] .text C:\Program Files (x86)\Winamp\winamp.exe[70380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bb14bb 2 bytes [BB, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800110a650] \SystemRoot\System32\Drivers\spnj.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800110a5dc] \SystemRoot\System32\Drivers\spnj.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80080512c0 Device \FileSystem\fastfat \Fat fffffa80156fc2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9B858825-D2C6-4E27-85F0-FD19BE87EB6D} fffffa800afac2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D8015D14-D582-42D5-92FF-B44C5DDFD1D1} fffffa800afac2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{942371D0-17CD-4B8A-80FC-F5AD84230A7C} fffffa800afac2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800b08c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800af7c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{70923415-8B08-4621-AAF7-24D755899993} fffffa800afac2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800b08c2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800b08c2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80080492c0 Device \Driver\volmgr \Device\FtControl fffffa80080492c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80080492c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80080492c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80080492c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80080492c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{7AAF003C-5C30-4B24-A12B-E93C23612AB6} fffffa800afac2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800afac2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800b08c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{90726EF4-EAEA-4483-87C7-EE239CC129BA} fffffa800afac2c0 ---- Processes - GMER 2.1 ---- Library C:\Users\Owner\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2236] (GG drive menu/GG Network S.A.)(201 000000005ff80000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\auth.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09 0000000010000000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\burnlib.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000000340000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\dsp_sps.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000000290000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\enc_fhgaac.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 00000000003e0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\enc_flac.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 00000000003f0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\enc_lame.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 00000000007d0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\enc_wav.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002430000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\enc_wma.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002440000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_crasher.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002450000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_ff.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002460000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_hotkeys.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002470000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_jumpex.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002480000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_ml.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002490000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_orgler.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002d10000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_tray.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002d20000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_avi.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002d30000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_cdda.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002d40000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_dshow.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002d50000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_flac.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002d60000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_flv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002d70000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_linein.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002d80000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_midi.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002d90000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_mkv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002da0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_mod.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002db0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_mp3.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002dc0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_mp4.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002dd0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_nsv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002de0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_swf.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002df0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_vorbis.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e00000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_wave.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002e10000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_addons.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e20000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_autotag.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e30000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_bookmarks.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e40000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_devices.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e50000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_disc.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002e60000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_downloads.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e70000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_history.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002e80000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_impex.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002e90000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_local.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002ea0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_nowplaying.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002ec0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_online.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002ed0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_orb.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002ee0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_playlists.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002ef0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_plg.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002f00000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_pmp.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002f10000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_rg.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014- 0000000002f20000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_transcode.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002f30000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_wire.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002f40000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ombrowser.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:51) 0000000002f50000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\out_disk.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002f60000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\out_ds.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000002f70000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\out_wave.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002f80000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\playlist.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002f90000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_activesync.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:52) 0000000002fa0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_android.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:52) 0000000002fb0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_ipod.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000002fc0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_njb.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002fd0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_p4s.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002fe0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_usb.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000002ff0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\pmp_wifi.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000003000000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\tagz.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09 0000000003010000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\vis_avs.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 0000000003020000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\vis_milk2.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2014-09-05 19:37:52) 0000000003040000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\vis_nsfs.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] 0000000003070000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\winamp.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](201 0000000003080000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\winampa.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380](2 00000000030e0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\enc_vorbis.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Nullsoft Ogg Vorbis Encoder/Pawel Porwisz)(2014-09-05 19:37:52) 00000000030f0000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_classicart.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Album Art Viewer/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003100000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_find_on_disk.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Find File On Disk/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003110000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_nopro.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Lite-n Winamp Preferences/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003120000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_skinmanager.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Skin Manager/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003130000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_timerestore.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Time Restore & Autoplay/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003140000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\gen_undo.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Playlist Undo/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003150000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_wav.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Waveform Wrapper/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003160000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_wm.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (Dekoder Windows Media/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003170000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\in_wv.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (WavPack Decoder/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003180000 Library C:\Users\Owner\AppData\Local\Temp\WLZ950D.tmp\ml_enqplay.lng (*** suspicious ***) @ C:\Program Files (x86)\Winamp\winamp.exe [70380] (ML Enqueue and Play/Pawel Porwisz)(2014-09-05 19:37:52) 0000000003190000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d439c624b Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d439c624b (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9C9757A5-6992-9BB8-47C0-F3E634860ABD} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@iampbekgmlmpppbefj 0x6A 0x61 0x70 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@hacghcpgejhlgfdd 0x6A 0x61 0x70 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@iaabjblgfpmmjnecln 0x63 0x61 0x6C 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@dbadekdddlnaiaicmniipkojalglaklgjkfdhiea 0x68 0x61 0x68 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@jbadekdddlnaiaicmniimlkleejnelcdcmmjagfidbjcpmijggne 0x68 0x61 0x68 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EF2A84AF-A333-DC93-55DD-6BC6EE849EBE}@dbadekdddlnaiaicmniicenmofnhalcibenkojgo 0x6A 0x61 0x63 0x61 ... ---- EOF - GMER 2.1 ----