Thread: Malicious Program Sending Spam Emails From My PC !!!
View Single Post
Old 06-19-2006, 09:25 AM   #87 (permalink)
ruthy
Registered User
 
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)


Ok!!!!!!!!!!!!!! Deleted those 2 entries, rebooted and re-ran a full gmer scan with all areas checked, including the Registry and hey-presto it did not bomb with a BSOD hehe!! - Well done sUBs - you are now winning this battle lol!

Just on completion of the scan a box popped up saying Rootkit activity was detected. Here is the log: -

________________________________________________________________

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-19 17:19:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 863CCC70 ZwConnectPort
SSDT SSI.SYS ZwCreateKey
SSDT SSI.SYS ZwCreateProcess
SSDT SSI.SYS ZwCreateProcessEx
SSDT SSI.SYS ZwDeleteKey
SSDT SSI.SYS ZwDeleteValueKey
SSDT 861769B0 ZwOpenProcess
SSDT 863F49E8 ZwOpenThread
SSDT SSI.SYS ZwRenameKey
SSDT SSI.SYS ZwSetInformationKey
SSDT SSI.SYS ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F74BE1F8] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS

---- Modules - GMER 1.0.10 ----

Module \SystemRoot\system32\drivers\kmixer.sys (*** hidden *** ) B8786000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File E:\System Volume Information\_restore{9C9ECE3F-D8F8-4C8A-BB40-13E01E1F18B5}

---- EOF - GMER 1.0.10 ----
________________________________________________________________

Please tell me where we are at the moment by way of update, I know you know where we are but I don't! lol!

Ruth XXX
Last edited by ruthy; 06-19-2006 at 09:30 AM.
ruthy is offline