GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-15 19:14:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000070 ADATA___ rev.5.2. 59,63GB Running: 7jphnu0b.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kwddykog.sys ---- User code sections - GMER 2.1 ---- .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075da1401 2 bytes JMP 761ab20b C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075da1419 2 bytes JMP 761ab336 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075da1431 2 bytes JMP 76228f39 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075da144a 2 bytes CALL 76184885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075da14dd 2 bytes JMP 76228832 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075da14f5 2 bytes JMP 76228a08 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075da150d 2 bytes JMP 76228728 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075da1525 2 bytes JMP 76228af2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075da153d 2 bytes JMP 7619fc98 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075da1555 2 bytes JMP 761a68df C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075da156d 2 bytes JMP 76228ff1 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075da1585 2 bytes JMP 76228b52 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075da159d 2 bytes JMP 762286ec C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075da15b5 2 bytes JMP 7619fd31 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075da15cd 2 bytes JMP 761ab2cc C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075da16b2 2 bytes JMP 76228eb4 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075da16bd 2 bytes JMP 76228681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000731317fa 2 bytes CALL 761811a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073131860 2 bytes CALL 761811a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073131942 2 bytes JMP 76887089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2060] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007313194d 2 bytes JMP 7688cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000731317fa 2 bytes CALL 761811a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073131860 2 bytes CALL 761811a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073131942 2 bytes JMP 76887089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007313194d 2 bytes JMP 7688cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075da1401 2 bytes JMP 761ab20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075da1419 2 bytes JMP 761ab336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075da1431 2 bytes JMP 76228f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075da144a 2 bytes CALL 76184885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075da14dd 2 bytes JMP 76228832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075da14f5 2 bytes JMP 76228a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075da150d 2 bytes JMP 76228728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075da1525 2 bytes JMP 76228af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075da153d 2 bytes JMP 7619fc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075da1555 2 bytes JMP 761a68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075da156d 2 bytes JMP 76228ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075da1585 2 bytes JMP 76228b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075da159d 2 bytes JMP 762286ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075da15b5 2 bytes JMP 7619fd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075da15cd 2 bytes JMP 761ab2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075da16b2 2 bytes JMP 76228eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2144] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075da16bd 2 bytes JMP 76228681 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075da1401 2 bytes JMP 761ab20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075da1419 2 bytes JMP 761ab336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075da1431 2 bytes JMP 76228f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075da144a 2 bytes CALL 76184885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075da14dd 2 bytes JMP 76228832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075da14f5 2 bytes JMP 76228a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075da150d 2 bytes JMP 76228728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075da1525 2 bytes JMP 76228af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075da153d 2 bytes JMP 7619fc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075da1555 2 bytes JMP 761a68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075da156d 2 bytes JMP 76228ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075da1585 2 bytes JMP 76228b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075da159d 2 bytes JMP 762286ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075da15b5 2 bytes JMP 7619fd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075da15cd 2 bytes JMP 761ab2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075da16b2 2 bytes JMP 76228eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075da16bd 2 bytes JMP 76228681 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075da1401 2 bytes JMP 761ab20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075da1419 2 bytes JMP 761ab336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075da1431 2 bytes JMP 76228f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075da144a 2 bytes CALL 76184885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075da14dd 2 bytes JMP 76228832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075da14f5 2 bytes JMP 76228a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075da150d 2 bytes JMP 76228728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075da1525 2 bytes JMP 76228af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075da153d 2 bytes JMP 7619fc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075da1555 2 bytes JMP 761a68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075da156d 2 bytes JMP 76228ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075da1585 2 bytes JMP 76228b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075da159d 2 bytes JMP 762286ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075da15b5 2 bytes JMP 7619fd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075da15cd 2 bytes JMP 761ab2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075da16b2 2 bytes JMP 76228eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tomek\AppData\Local\Temp\Rar$EXa0.164\procexp.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075da16bd 2 bytes JMP 76228681 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Program Files\Internet Explorer\iexplore.exe[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\advapi32.DLL[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\iertutil.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\user32.DLL[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shlwapi.DLL[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shlwapi.DLL[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shlwapi.DLL[USER32.dll!DialogBoxParamA] [7fee96be5a4] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shlwapi.DLL[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shell32.DLL[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxIndirectW] [7fee9694170] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\shell32.DLL[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IEFRAME.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxIndirectW] [7fee9694170] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\ole32.DLL[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\ole32.DLL[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\ole32.DLL[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!DialogBoxIndirectParamW] [7fee96be650] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\comdlg32.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\comdlg32.dll[USER32.dll!DialogBoxIndirectParamW] [7fee96be650] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\comdlg32.dll[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\comdlg32.dll[COMCTL32.dll!PropertySheetW] [7fee96be958] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\comdlg32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\urlmon.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\urlmon.dll[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\WININET.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Program Files\Internet Explorer\sqmapi.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\Secur32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\CLBCatQ.DLL[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\System32\netprofm.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\System32\nlaapi.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\apphelp.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\System32\fwpuclnt.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\IEUI.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\oleacc.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\explorerframe.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\explorerframe.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\DUser.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\DUI70.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\DUI70.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\propsys.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\MSHTML.dll[KERNEL32.dll!GetProcAddress] [7fee9681cf8] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\MSHTML.dll[USER32.dll!MessageBoxW] [7fee96be1bc] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\MSHTML.dll[USER32.dll!DialogBoxParamW] [7fee9694bf0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5260] @ C:\Windows\system32\MSHTML.dll[USER32.dll!EnableWindow] [7fee9682e04] C:\Program Files\Internet Explorer\IEShims.dll ---- Processes - GMER 2.1 ---- Process C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072] (FILE 0000000000400000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\python27.dll (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072] (Python Core/Python Software Foundation)(2015-08-15 16:31:20) 000000001e000000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\_hashlib.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 0000000010000000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\win32api.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 000000001e8c0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\pywintypes27.dll (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:21) 000000001e7a0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\pythoncom27.dll (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 0000000000450000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\_multiprocessing.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 00000000003b0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 000000001e800000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\_socket.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 00000000004d0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\_ssl.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 0000000001fa0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\_ctypes.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 000000001d1a0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\win32file.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 000000001ea10000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\msgpack._packer.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:21) 0000000000540000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\msgpack._unpacker.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 0000000000550000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\pyHook._cpyHook.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:21) 0000000000570000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\win32gui.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 000000001ea40000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\select.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 000000001d110000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\psutil._psutil_windows.pyd (*** suspicious ***) @ C:\Users\Tomek\AppData\Roaming\pwo12\audiogd.exe [4072](2015-08-15 16:31:20) 0000000000590000 Process C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\eth64\atieclxx.exe (*** suspicious ***) @ C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\eth64\atieclxx.exe [4224](2015-08-15 16:31:21) 000000013f6d0000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\eth64\libcurl.dll (*** suspicious ***) @ C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\eth64\atieclxx.exe [4224] (libcurl Shared Library/The cURL library, http://curl.haxx.se/)(2015-08-15 16:31:21) 000007fef0390000 Library C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\eth64\OpenCL.dll (*** suspicious ***) @ C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\eth64\atieclxx.exe [4224](2015-08-15 16:31:21) 000007fef01e0000 Process C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\atiesrxx.exe (*** suspicious ***) @ C:\Users\Tomek\AppData\Local\Temp\_MEI38322\bin\atiesrxx.exe [4320](2015-08-15 16:31:21) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----