GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-17 08:09:45 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD1600AAJS-00L7A0 rev.01.03E01 Running: gmer.exe; Driver: C:\DOCUME~1\PHILLB~1\LOCALS~1\Temp\pxtdapod.sys ---- System - GMER 1.0.15 ---- SSDT 860B50E8 ZwAlertResumeThread SSDT 861E5938 ZwAlertThread SSDT 86177C48 ZwAllocateVirtualMemory SSDT 8611CC00 ZwAssignProcessToJobObject SSDT 858AB3E0 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7646710] SSDT 8637EA88 ZwCreateMutant SSDT 860EEEF0 ZwCreateSymbolicLinkObject SSDT 861FC8F0 ZwCreateThread SSDT 860C3B80 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA7646990] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA7646EF0] SSDT 86107978 ZwDuplicateObject SSDT 86125050 ZwFreeVirtualMemory SSDT 86080BE8 ZwImpersonateAnonymousToken SSDT 860C2B20 ZwImpersonateThread SSDT 8589D538 ZwLoadDriver SSDT 861DA530 ZwMapViewOfSection SSDT 860A9CF0 ZwOpenEvent SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwOpenProcess [0xA0B8E6C0] SSDT 860FCBC8 ZwOpenProcessToken SSDT 860C51F8 ZwOpenSection SSDT 860FA688 ZwOpenThread SSDT 8507C248 ZwProtectVirtualMemory SSDT 863170E0 ZwResumeThread SSDT 860ED530 ZwSetContextThread SSDT 86171218 ZwSetInformationProcess SSDT 860EC0A8 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7647140] SSDT 860A97E0 ZwSuspendProcess SSDT 86143AF0 ZwSuspendThread SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateProcess [0xA0B8E770] SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateThread [0xA0B8E810] SSDT 860C9EF8 ZwUnmapViewOfSection SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwWriteVirtualMemory [0xA0B8E8B0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C14 805044B0 8 Bytes CALL B8D65005 .text ntkrnlpa.exe!ZwCallbackReturn + 2C90 8050452C 4 Bytes JMP 90E28637 .text ntkrnlpa.exe!ZwCallbackReturn + 3038 805048D4 4 Bytes CALL CB58E991 ? SYMDS.SYS The system cannot find the file specified. ! ? SYMEFA.SYS The system cannot find the file specified. ! ? avgrkx86.sys The system cannot find the file specified. ! ? AVGIDSEH.Sys The system cannot find the file specified. ! ? system32\DRIVERS\avgtdix.sys The system cannot find the path specified. ! ? system32\DRIVERS\AVGIDSShim.Sys The system cannot find the path specified. ! ? system32\DRIVERS\AVGIDSFilter.Sys The system cannot find the path specified. ! ? system32\DRIVERS\AVGIDSDriver.Sys The system cannot find the path specified. ! ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8652733B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8652733B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8652733B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-6 8652733B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T1L0-e 8652733B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8652733B AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys ---- Processes - GMER 1.0.15 ---- Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [892] 0x10000000 Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1944] 0x10000000 Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1944] 0x009A0000 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- EOF - GMER 1.0.15 ----