GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-10 20:59:47 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 Running: 8nsqdcm1.exe; Driver: C:\Users\Ewelina\AppData\Local\Temp\pxrdypoc.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x92F72738] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x92F7274C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x92F72762] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x92F7279E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x92F72710] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x92F72724] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x92F727C6] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x92F727B2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x92F7278A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x92F72776] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x92F726FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8347F8A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8349F2F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntoskrnl.exe!NtSetInformationProcess 83650DD9 5 Bytes JMP 92F7277A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenProcess 836629B3 5 Bytes JMP 92F72714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwTerminateProcess 83662E3F 5 Bytes JMP 92F72700 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateUserProcess 8366D731 5 Bytes JMP 92F72766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwNotifyChangeKey 836A3F8E 5 Bytes JMP 92F727A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenThread 836B83DD 3 Bytes JMP 92F72728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!NtOpenThread + 4 836B83E1 1 Byte [0F] PAGE ntoskrnl.exe!ZwRestoreKey 836D0982 5 Bytes JMP 92F727B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwReplaceKey 836DC2E0 5 Bytes JMP 92F727CA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcess 8371BBF1 5 Bytes JMP 92F7273C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwCreateProcessEx 8371BC3C 7 Bytes JMP 92F72750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntoskrnl.exe!ZwSetContextThread 8371CAFF 5 Bytes JMP 92F7278E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- User code sections - GMER 1.0.15 ---- .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1652] kernel32.dll!LoadLibraryA 769F2884 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1652] kernel32.dll!LoadLibraryW 769F28D2 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\system32\rundll32.exe[1640] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1640] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1640] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73AB2494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A95624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A956E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73AB250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73AA8573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73AA4D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73AA50CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73AA51A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73AA66D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73AA82CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73AA8819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73AA907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73AAE21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2024] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73AA4C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[3404] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[3404] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[3404] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\System32\rundll32.exe[3404] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272a7d410 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272a7d410@001e3760f616 0x9F 0xAC 0x59 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272a7d410@00233a057708 0x48 0x6F 0x49 0xCC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272a7d410@78ca046de0f8 0x1F 0x5A 0x37 0x7C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272a7d410 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272a7d410@001e3760f616 0x9F 0xAC 0x59 0x6B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272a7d410@00233a057708 0x48 0x6F 0x49 0xCC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272a7d410@78ca046de0f8 0x1F 0x5A 0x37 0x7C ... ---- EOF - GMER 1.0.15 ----