GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-28 22:39:37 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST950032 rev.0001 465,76GB Running: ufusvlow.exe; Driver: C:\Users\Dominik\AppData\Local\Temp\kwtdqpow.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83055A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8308F212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[1744] SHELL32.dll!SHFileOperationW 765C96F6 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\Windows\explorer.exe[2276] SHELL32.dll!SHFileOperationW 765C96F6 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747A2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74785600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747856BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [747A24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74798514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74794CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7479506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74795144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74796671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7479826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [747987BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7479901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7479E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74794BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [747A2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74785600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [747856BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [747A24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74798514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74794CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [7479506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74795144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74796671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7479826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [747987BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7479901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7479E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74794BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015830cbfeb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015830cbfeb@e8150e223677 0xAE 0x18 0xB0 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015830cbfeb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015830cbfeb@e8150e223677 0xAE 0x18 0xB0 0xB4 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=3A9C0180 \xa0\Windows7-USB-DVD-Download-Tool-Installer-en-US.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=3A9C0180 \xa0\Windows7-USB-DVD-Download-Tool-Installer-en-US.exe 1 ---- EOF - GMER 2.2 ----