GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-07 15:08:01 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 WDC_WD2500AAKX-001CA0 rev.15.01H15 232,89GB Running: 9c8tyq56.exe; Driver: C:\DOCUME~1\KOPALI~1\USTAWI~1\Temp\kwlcypoc.sys ---- System - GMER 2.1 ---- Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EB85B0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EB85C4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EB85F0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EB859C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EB8574] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EB8588] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EB85DA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EB861C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EB8606] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject ---- Kernel code sections - GMER 2.1 ---- PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9EB8620 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9EB8578 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9EB858C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9EB860A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9EB85DE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9EB85B4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9EB85C8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9EB85F4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9EB85A0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\mfevtps.exe[1152] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004093C0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\WINDOWS\system32\mfevtps.exe[1152] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00409420] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@DisplayName Support Image Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka@Description Provides validation trust protection services Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kfyarka\Parameters@ServiceDll C:\WINDOWS\system32\lkkalcuy.dll Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore@Count 9751 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\iexplore@Count 9750 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\165\Shell@Mode 3 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\165\Shell@Sort 0 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\165\Shell@Col -1 ---- EOF - GMER 2.1 ----