GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-13 03:52:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4 ST3160815AS rev.3.AAD 149,05GB Running: k6kjzc11.exe; Driver: C:\Users\KAROKO\AppData\Local\Temp\uxdiipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000773bfaa8 5 bytes JMP 00000001739a19e8 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1616] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773c0038 5 bytes JMP 00000001739a209e .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773bf9b1 7 bytes {MOV EDX, 0x56ca28; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773bfbf5 7 bytes {MOV EDX, 0x56ca68; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773bfc25 7 bytes {MOV EDX, 0x56c9a8; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773bfc3d 7 bytes {MOV EDX, 0x56c928; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773bfc55 7 bytes {MOV EDX, 0x56cb28; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773bfc85 7 bytes {MOV EDX, 0x56cb68; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773bfd05 7 bytes {MOV EDX, 0x56cae8; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773bfd1d 7 bytes {MOV EDX, 0x56caa8; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773bfd69 7 bytes {MOV EDX, 0x56c868; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773bfe61 7 bytes {MOV EDX, 0x56c8a8; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773c00b9 7 bytes {MOV EDX, 0x56c828; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773c10c5 7 bytes {MOV EDX, 0x56c9e8; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773c113d 7 bytes {MOV EDX, 0x56c968; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773c1341 7 bytes {MOV EDX, 0x56c8e8; JMP RDX} .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765a1465 2 bytes [5A, 76] .text C:\Program Files (x86)\Comodo\Dragon\dragon.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765a14bb 2 bytes [5A, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3692] entry point in ".rdata" section 000000006b2b71e6 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88003370ea4] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [440:1300] 000007fef9d51a50 Thread C:\Windows\system32\svchost.exe [440:1920] 000007fefad7818c Thread C:\Windows\system32\svchost.exe [440:2976] 000007fef3e784d8 Thread C:\Windows\system32\svchost.exe [440:3008] 000007fef3e323a8 Thread C:\Windows\system32\svchost.exe [440:3016] 000007fef3eb0d00 Thread C:\Windows\system32\svchost.exe [440:3020] 000007fef3ce9498 Thread C:\Windows\system32\svchost.exe [440:3964] 000007fef27d506c Thread C:\Windows\system32\svchost.exe [440:3972] 000007fef7f61c20 Thread C:\Windows\system32\svchost.exe [440:3976] 000007fef7f61c20 Thread C:\Windows\system32\svchost.exe [440:3888] 000007fef8cf5124 Thread C:\Windows\system32\svchost.exe [440:4292] 000007fef242cb70 Thread C:\Windows\system32\svchost.exe [440:3784] 000007fef242cb70 Thread C:\Windows\system32\svchost.exe [440:3600] 000007fef242cb70 Thread C:\Windows\system32\svchost.exe [440:732] 000007fefad94164 Thread C:\Windows\system32\svchost.exe [440:3652] 000007fef2bf1ab0 Thread C:\Windows\system32\svchost.exe [1176:1776] 000007fef8d5bec4 Thread C:\Windows\system32\svchost.exe [1176:2956] 000007fefad7818c Thread C:\Windows\system32\svchost.exe [1176:2960] 000007fef3f283d8 Thread C:\Windows\system32\svchost.exe [1176:2964] 000007fef3f283d8 Thread C:\Windows\system32\svchost.exe [1176:2984] 000007fef3df3f1c Thread C:\Windows\system32\svchost.exe [1176:2988] 000007fef3dc22b8 Thread C:\Windows\system32\svchost.exe [1176:2992] 000007fef3dc1a38 Thread C:\Windows\system32\svchost.exe [1176:2996] 000007fef3d45388 Thread C:\Windows\system32\svchost.exe [1176:3000] 000007fef3d27738 Thread C:\Windows\system32\svchost.exe [1176:3004] 000007fef3d11f90 Thread C:\Windows\system32\svchost.exe [1176:3316] 000007fef8cf5124 Thread C:\Windows\system32\svchost.exe [1176:4640] 000007fef9195170 Thread C:\Windows\System32\spoolsv.exe [1316:2552] 000007fef55f10c8 Thread C:\Windows\System32\spoolsv.exe [1316:2560] 000007fef55b6144 Thread C:\Windows\System32\spoolsv.exe [1316:2564] 000007fef53a5fd0 Thread C:\Windows\System32\spoolsv.exe [1316:2568] 000007fef5393438 Thread C:\Windows\System32\spoolsv.exe [1316:2572] 000007fef53a63ec Thread C:\Windows\System32\spoolsv.exe [1316:2580] 000007fefbf55e5c Thread C:\Windows\System32\spoolsv.exe [1316:2588] 000007fefbe35074 ---- EOF - GMER 2.1 ----