Wile E Coyote
Posts: 10 +0
I keep getting notified by Norton tht I have been getting intrusion attempts resulting from: \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE
Risk Name: System Infected: Tidserv Activity 2
Attacking Computer: liber0-un0.com (194.247.183.80, 443)
I tried the 8 step but can't seem to run dds.scr the other log files are pasted below:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6547
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/10/2011 2:08:11 PM
mbam-log-2011-05-10 (14-08-11).txt
Scan type: Quick scan
Objects scanned: 174620
Time elapsed: 16 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\Jon\x.exe (Trojan.KillAV) -> Quarantined and deleted successfully.
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-10 14:48:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST94019A rev.5.11
Running: tif0roxe.exe; Driver: C:\DOCUME~1\Jon\LOCALS~1\Temp\pgldyaoc.sys
---- System - GMER 1.0.15 ----
SSDT 86C12BF0 ZwAlertResumeThread
SSDT 86C15590 ZwAlertThread
SSDT 86C1B0B0 ZwAllocateVirtualMemory
SSDT 86EABE30 ZwAssignProcessToJobObject
SSDT 86B2BCF8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB9CD3210]
SSDT 86CA8368 ZwCreateMutant
SSDT 86BFA1D0 ZwCreateSymbolicLinkObject
SSDT 86BB9D68 ZwCreateThread
SSDT 86E8A818 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB9CD3490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB9CD39F0]
SSDT 86C161C0 ZwDuplicateObject
SSDT 86C81100 ZwFreeVirtualMemory
SSDT 86E8EF28 ZwImpersonateAnonymousToken
SSDT 86C120C8 ZwImpersonateThread
SSDT 86B9E2D8 ZwLoadDriver
SSDT 86C59CC0 ZwMapViewOfSection
SSDT 86E4B4E8 ZwOpenEvent
SSDT 86E8EFC0 ZwOpenProcess
SSDT 86C25DC8 ZwOpenProcessToken
SSDT 86E4E260 ZwOpenSection
SSDT 86E8EE40 ZwOpenThread
SSDT 86BBE1E0 ZwProtectVirtualMemory
SSDT 86C1B2B8 ZwResumeThread
SSDT 86C24D28 ZwSetContextThread
SSDT 86C894C0 ZwSetInformationProcess
SSDT 86FCA1F0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB9CD3C40]
SSDT 86E4B520 ZwSuspendProcess
SSDT 86C22A70 ZwSuspendThread
SSDT 86C31158 ZwTerminateProcess
SSDT 86C24930 ZwTerminateThread
SSDT 86C25908 ZwUnmapViewOfSection
SSDT 86C356A8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 214 804E2880 4 Bytes [E8, B4, E4, 86]
.text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 8 Bytes [C0, EF, E8, 86, C8, 5D, C2, ...]
? vqlnggj.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0117000A
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0118000A
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0116000C
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CreateBindCtx + B5F 774FF14F 7 Bytes JMP 041C00F4
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CoImpersonateClient + 51 775151F0 7 Bytes JMP 041C003A
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C
.text C:\WINDOWS\System32\svchost.exe[1088] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EB000A
.text C:\program files\real\realplayer\update\realsched.exe[2124] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\system32\SearchIndexer.exe[2532] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
.text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DA000A
.text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D0000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0118000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0119000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0117000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Internet Explorer\iexplore.exe[416] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F6331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86F6331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F6331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86F6331B
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Threads - GMER 1.0.15 ----
Thread realplay.exe [1544:1436] 7C810705
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----
Risk Name: System Infected: Tidserv Activity 2
Attacking Computer: liber0-un0.com (194.247.183.80, 443)
I tried the 8 step but can't seem to run dds.scr the other log files are pasted below:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6547
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/10/2011 2:08:11 PM
mbam-log-2011-05-10 (14-08-11).txt
Scan type: Quick scan
Objects scanned: 174620
Time elapsed: 16 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\Jon\x.exe (Trojan.KillAV) -> Quarantined and deleted successfully.
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-10 14:48:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST94019A rev.5.11
Running: tif0roxe.exe; Driver: C:\DOCUME~1\Jon\LOCALS~1\Temp\pgldyaoc.sys
---- System - GMER 1.0.15 ----
SSDT 86C12BF0 ZwAlertResumeThread
SSDT 86C15590 ZwAlertThread
SSDT 86C1B0B0 ZwAllocateVirtualMemory
SSDT 86EABE30 ZwAssignProcessToJobObject
SSDT 86B2BCF8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB9CD3210]
SSDT 86CA8368 ZwCreateMutant
SSDT 86BFA1D0 ZwCreateSymbolicLinkObject
SSDT 86BB9D68 ZwCreateThread
SSDT 86E8A818 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB9CD3490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB9CD39F0]
SSDT 86C161C0 ZwDuplicateObject
SSDT 86C81100 ZwFreeVirtualMemory
SSDT 86E8EF28 ZwImpersonateAnonymousToken
SSDT 86C120C8 ZwImpersonateThread
SSDT 86B9E2D8 ZwLoadDriver
SSDT 86C59CC0 ZwMapViewOfSection
SSDT 86E4B4E8 ZwOpenEvent
SSDT 86E8EFC0 ZwOpenProcess
SSDT 86C25DC8 ZwOpenProcessToken
SSDT 86E4E260 ZwOpenSection
SSDT 86E8EE40 ZwOpenThread
SSDT 86BBE1E0 ZwProtectVirtualMemory
SSDT 86C1B2B8 ZwResumeThread
SSDT 86C24D28 ZwSetContextThread
SSDT 86C894C0 ZwSetInformationProcess
SSDT 86FCA1F0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB9CD3C40]
SSDT 86E4B520 ZwSuspendProcess
SSDT 86C22A70 ZwSuspendThread
SSDT 86C31158 ZwTerminateProcess
SSDT 86C24930 ZwTerminateThread
SSDT 86C25908 ZwUnmapViewOfSection
SSDT 86C356A8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 214 804E2880 4 Bytes [E8, B4, E4, 86]
.text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 8 Bytes [C0, EF, E8, 86, C8, 5D, C2, ...]
? vqlnggj.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0117000A
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0118000A
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0116000C
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CreateBindCtx + B5F 774FF14F 7 Bytes JMP 041C00F4
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!CoImpersonateClient + 51 775151F0 7 Bytes JMP 041C003A
.text C:\Program Files\Internet Explorer\iexplore.exe[416] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C
.text C:\WINDOWS\System32\svchost.exe[1088] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EB000A
.text C:\program files\real\realplayer\update\realsched.exe[2124] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\system32\SearchIndexer.exe[2532] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
.text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DA000A
.text C:\WINDOWS\Explorer.EXE[3268] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D0000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0118000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0119000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0117000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Internet Explorer\iexplore.exe[416] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F6331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86F6331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F6331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86F6331B
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Threads - GMER 1.0.15 ----
Thread realplay.exe [1544:1436] 7C810705
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----