GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-07 12:02:19 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD5000AADS-00S9B0 rev.01.00A01 465,76GB Running: dwzv0gh0.exe; Driver: C:\Users\Hellfire\AppData\Local\Temp\kgtyykod.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82E89339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC2D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73DB2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D95600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D956BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73DB24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73DA8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73DA4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73DA506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73DA5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73DA6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73DA826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73DA87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73DA901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73DAE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DA4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \Driver\FileOpenWebPublisherScreenHookDriver \Device\FileOpenWebPublisherScreenHookDriver fowp32.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=B7E39CFE bsi_lab\Solarwinds-standred Edition\Solarwind Engineer\x2019s Toolset\SolarWinds-Toolset-V10.exe 1 ---- EOF - GMER 2.1 ----