GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-14 19:25:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: kijf7xls.exe; Driver: C:\Users\Angie\AppData\Local\Temp\kgddykod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1068] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 000000016ac91765 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3528] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3528] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5228] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5228] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3496] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3496] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 ? C:\windows\system32\mssprxy.dll [6928] entry point in ".rdata" section 000000006eda71e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0x9b2628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0x9b2668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0x9b25a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0x9b2528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0x9b2728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0x9b2768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0x9b26e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0x9b26a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0x9b2468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0x9b24a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0x9b2428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0x9b25e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0x9b2568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0x9b24e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe[4120] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe[4120] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0x5cc228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0x5cc268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0x5cc1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0x5cc128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0x5cc328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0x5cc368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0x5cc2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0x5cc2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0x5cc068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0x5cc0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0x5cc028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0x5cc1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0x5cc168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0x5cc0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0xdf9a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0xdf9a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0xdf99a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0xdf9928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0xdf9b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0xdf9b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0xdf9ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0xdf9aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0xdf9868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0xdf98a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0xdf9828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0xdf99e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0xdf9968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0xdf98e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d41465 2 bytes [D4, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2348] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d414bb 2 bytes [D4, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\windows\SysWOW64\ntdll.dll [3816:3404] 0000000000419a10 Thread C:\windows\SysWOW64\ntdll.dll [3816:5160] 00000000675e4e30 Thread C:\windows\SysWOW64\ntdll.dll [3816:5172] 0000000071e129e1 Thread C:\windows\SysWOW64\ntdll.dll [3816:5244] 0000000071e129e1 Thread C:\windows\SysWOW64\ntdll.dll [3816:5344] 0000000071e129e1 Thread C:\windows\SysWOW64\ntdll.dll [3816:5348] 0000000071e129e1 Thread C:\windows\SysWOW64\ntdll.dll [3816:5480] 0000000071e129e1 Thread C:\windows\SysWOW64\ntdll.dll [3816:5500] 0000000071e129e1 Thread C:\windows\SysWOW64\ntdll.dll [3816:5672] 000000007122a3e0 Thread C:\windows\SysWOW64\ntdll.dll [3816:300] 0000000071e129e1 Thread C:\windows\System32\svchost.exe [6476:6784] 000007fef2479688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{DB7B6AE5-F17E-4226-A12F-9467C8D22FA0}\Connection@Name isatap.{378AA263-D4E2-4C05-BEA0-AC3DC2A88D9B} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{195EDD8F-27FA-4310-95EC-FC04F6D28F50}?\Device\{628E134A-0998-444C-B580-D016C6EEC890}?\Device\{AE8CA22C-1E17-446A-B483-087A918895CA}?\Device\{DB7B6AE5-F17E-4226-A12F-9467C8D22FA0}?\Device\{B914458E-936A-42D5-8274-7F6B38535057}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{195EDD8F-27FA-4310-95EC-FC04F6D28F50}"?"{628E134A-0998-444C-B580-D016C6EEC890}"?"{AE8CA22C-1E17-446A-B483-087A918895CA}"?"{DB7B6AE5-F17E-4226-A12F-9467C8D22FA0}"?"{B914458E-936A-42D5-8274-7F6B38535057}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{195EDD8F-27FA-4310-95EC-FC04F6D28F50}?\Device\TCPIP6TUNNEL_{628E134A-0998-444C-B580-D016C6EEC890}?\Device\TCPIP6TUNNEL_{AE8CA22C-1E17-446A-B483-087A918895CA}?\Device\TCPIP6TUNNEL_{DB7B6AE5-F17E-4226-A12F-9467C8D22FA0}?\Device\TCPIP6TUNNEL_{B914458E-936A-42D5-8274-7F6B38535057}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{DB7B6AE5-F17E-4226-A12F-9467C8D22FA0}@InterfaceName isatap.{378AA263-D4E2-4C05-BEA0-AC3DC2A88D9B} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{DB7B6AE5-F17E-4226-A12F-9467C8D22FA0}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 9005 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 3029 ---- EOF - GMER 2.1 ----