GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-07 09:07:14 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916082 rev.3.CM Running: ebh0oj42.exe; Driver: C:\Users\rl0052\AppData\Local\Temp\pwddrpog.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8B99468A] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8B9945E8] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8B9945FC] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8B994612] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8B99464E] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8B99469E] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8B994676] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8B994662] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8B99463A] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8B994626] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B9945D4] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82E92369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECBD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8304EE8D 5 Bytes JMP 8B994652 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 8308D6AD 5 Bytes JMP 8B99462A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 830974C1 7 Bytes JMP 8B9946A2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 830A42A2 5 Bytes JMP 8B99468E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 830AFA7D 5 Bytes JMP 8B9945D8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 830C3116 5 Bytes JMP 8B994616 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 830E69CC 5 Bytes JMP 8B994666 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 830F0968 5 Bytes JMP 8B99467A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 83130EE5 5 Bytes JMP 8B9945EC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 83130F30 7 Bytes JMP 8B994600 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 83131DEF 5 Bytes JMP 8B99463E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE peauth.sys 8FB6FE20 13 Bytes [E6, A4, 8F, E8, DD, 88, 39, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[5588] ntdll.dll!LdrLoadDll 7792223E 5 Bytes JMP 6551FA35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5588] kernel32.dll!MapViewOfFile 75DD93DB 5 Bytes JMP 657C079E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5588] kernel32.dll!VirtualAlloc 75DDC43A 5 Bytes JMP 657C07C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5588] USER32.dll!GetWindowInfo 77734B5E 5 Bytes JMP 656A29CB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5588] GDI32.dll!CreateDIBSection 77AA8850 5 Bytes JMP 657C0728 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\mfevtps.exe[2356] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004059CB] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\Program Files\Lenovo\System Update\SUService.exe[2932] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\System Update\SUService.exe[2932] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\System Update\SUService.exe[2932] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\System Update\SUService.exe[2932] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\System Update\SUService.exe[2932] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\System Update\SUService.exe[2932] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7598FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000068 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device Fs_Rec.sys (File System Recognizer Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe1ee3cbb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002268ee7452 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002268eecb75 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe1ee3cbb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002268ee7452 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002268eecb75 (not active ControlSet) ---- EOF - GMER 1.0.15 ----