|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-18-2006, 10:09 AM
|
#61 (permalink) | |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
Quote:
Ruth |
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-18-2006, 10:19 AM
|
#63 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,422
OS: N/A
|
Download this file - http://www.techsupportforum.com/atta...6&d=1149315134
Double click the file within & then reboot your machine You should be able to run Blacklight after that.
__________________
Question - what have you done for the community today? |
|
|
|
|
06-18-2006, 10:39 AM
|
#64 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
Ok done that but nothing found!
______________________________________________________________ 06/18/06 17:31:52 [Info]: BlackLight Engine 1.0.37 initialized 06/18/06 17:31:52 [Info]: OS: 5.1 build 2600 (Service Pack 2) 06/18/06 17:31:52 [Note]: 7019 4 06/18/06 17:31:52 [Note]: 7005 0 06/18/06 17:33:08 [Note]: 7006 0 06/18/06 17:33:08 [Note]: 7011 2284 06/18/06 17:33:08 [Note]: 7026 0 06/18/06 17:33:08 [Note]: 7026 0 06/18/06 17:33:16 [Note]: FSRAW library version 1.7.1015 06/18/06 17:34:33 [Note]: 2000 1006 06/18/06 17:34:33 [Note]: 2000 1006 06/18/06 17:34:48 [Note]: 7007 0 _______________________________________________________________ So what next? Phew! this is taking forever - sUBs I need to do some other things in about 1.5 hours time and I'm sure you do as well - I'm so grateful to you for your dedication and feel sure you will crack this thing :) But if you want to stop and restart tomorrow again, then I will be ok from 15.00 BST - just my thoughts Ruth Kiss |
|
|
|
|
06-18-2006, 10:59 AM
|
#65 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,422
OS: N/A
|
Blacklight didnt find anything. That's to be expected. Most of these newer rootkits have adapted themselves to escape the more reputable scanners like Blacklight & SysInternal's RootKitRevealer. That's why Gmer is the tool of choice for current times. Look on the bright side. At least we were alerted of your SeDebug errors & have taken steps to fix it.
I guess we dont have anymore choices but to press on to having Gmer take an aggressive stance & do the scan listed out in post #34. Please take another look at post #34 as I have revised my earlier instructions.
__________________
Question - what have you done for the community today? |
|
|
|
|
06-18-2006, 11:05 AM
|
#66 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
Ok sUBs but will gmer not crash in safe-mode? If it does, where do we go from there? I'll do what you suggest and back up the registry - however at the moment the crashes and BSOD's are only caused by running gmer. Maybe a safe-mode scan will sort - I hope so.
Ruth |
|
|
|
|
06-18-2006, 11:30 AM
|
#68 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
ok - done all that and the good news is that gmer did not crash. So far so good. But I'm damned if I can get notepad to stay on the screen long enough for it to be saved. I press save and then as quickly as I can press run, after typing notepad in the command box, this briefly brings up notepad - just quick enough for me to press ctrl-v but not quick enough for me to save it. I am still in the coomand screen awaiting your further instructions - what's happening here - why does notepad disappear so quickly? Whilst I am awaiting your response, I will try wordpad!
Ruth |
|
|
|
|
06-18-2006, 11:35 AM
|
#69 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
wordpad not recognised as a command :( and the copy information now lost. Running a further scan I'll see what happens this time - but this is annoying now! After that if no joy, I will see if it's saved anything, not sure what the default save folder is, maybe I was quick enough to save it. I'll check when I've booted into normal mode.
Ruth |
|
|
|
|
06-18-2006, 12:08 PM
|
#71 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
No that did not work either so I'm typing this longhand from the text I've pasted into the log box at the bottom lol!
_________________________________________________________________ GMER 1.0.10.1022 - http://www.gmer.net Rootkit 2006-06-18 18:42:56 windows 5.1.2600 Service pack 2 ---- Devices - GMER 1.0.10 ---- Device \Filesystem\Fastfat \F IRP_MJ_CREATE ----Registry - GMER 1.0.10 ---- Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 0.10 ---- ________________________________________________________________ I hope I've typed everything out correctly lol! Now what? - I only have another 30 mins left until I have do some other things and will need to reconvene tomorrow after 3pm BST Thanks again for your hard work - I will leave the machine in Safe-Mode until you come back to me as maybe you want to do something else whilst in gmer Ruth XXX |
|
|
|
|
06-18-2006, 12:35 PM
|
#72 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
OK sUBs - thanks for all your hard work today it's most appreciated. I'm turning the pc off now and get work around the house. I hope I will hear some more from you tomorrow - if you set down a list of instructions, I will do my level best to follow them. With a bit of luck the above "log" file will help you understand what's happening here. I will log back in soon after 14.30 BST. Cheers for now
Ruth XXX |
|
|
|
|
06-19-2006, 01:13 AM
|
#73 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,422
OS: N/A
|
Ruth,
Please check if you have this log. - C:\Windows\gmer.log If so, kindly post the contents of the log After you have posted the log, please do a normal scan with Gmer. Untick the box - 'Devices' - before doing so.
__________________
Question - what have you done for the community today? Last edited by sUBs; 06-19-2006 at 01:33 AM. |
|
|
|
|
06-19-2006, 08:08 AM
|
#74 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
HI sUBS - i'm back again - no sorry, there is no log file. I had trouble rebooting back into windows after shutting down yesterday as the system kept wanting to invoke gmer in safe mode again. However I managed to get back in by pressing F8 and using last known good settings. I am searching my entire system for that log file, going for a shower and will undertake the full scan as you suggest in normal mode in about 30 mins
Ruth |
|
|
|
|
06-19-2006, 08:24 AM
|
#75 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
No joy I'm afraid - again before the scan completed, I got the dreaded BSOD !
It says: - ________________________________________________________________ A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you have seen this Stop Error screen, restart your computer. If this screen appears again, follow these steps: - Check to be sure you have adequate disk space. If a driver is identified in the Stop Message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters. Check with hardware for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart etc etc...... Technical Information: - 0x0000008E (0x0000005, 0x00300030, 0xF17ABCF0, 0x00000000) ________________________________________________________________ Well sUBs where do we go from here? Ruth |
|
|
|
|
06-19-2006, 08:57 AM
|
#76 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,422
OS: N/A
|
Please untick the box where it says - 'Registry' & try again
So sorry about this. Wish it could be easier
__________________
Question - what have you done for the community today? |
|
|
|
|
06-19-2006, 09:10 AM
|
#77 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
No need to apologise sUBs - you are my knight in shining armour lol! - I'm sure you will crack this thing!
Anyhow I've just re-run the gmer prog, this time just unselecting Registry - I left Devices checked ok? Here's the log: - ____________________________________________________________ GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-06-19 16:04:07 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT 864091D8 ZwConnectPort SSDT SSI.SYS ZwCreateKey SSDT SSI.SYS ZwCreateProcess SSDT SSI.SYS ZwCreateProcessEx SSDT SSI.SYS ZwDeleteKey SSDT SSI.SYS ZwDeleteValueKey SSDT 86593150 ZwOpenProcess SSDT 863BCCB0 ZwOpenThread SSDT SSI.SYS ZwRenameKey SSDT SSI.SYS ZwSetInformationKey SSDT SSI.SYS ZwSetValueKey SYSENTER ? 00810006 ---- Devices - GMER 1.0.10 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 85518520 Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F74BE1F8] SSI.SYS Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F74BE1F8] SSI.SYS ---- Services - GMER 1.0.10 ---- Service C:\WINDOWS\System32:18467 (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Files - GMER 1.0.10 ---- File D:\System Volume Information\MountPointManagerRemoteDatabase File D:\System Volume Information\tracking.log File E:\System Volume Information\MountPointManagerRemoteDatabase File E:\System Volume Information\tracking.log File E:\System Volume Information\_restore{9C9ECE3F-D8F8-4C8A-BB40-13E01E1F18B5} ---- EOF - GMER 1.0.10 ---- ________________________________________________________________ So what does this tell us and does it mean there could be malicious stuff still in the Registry ? Ruth Last edited by ruthy; 06-19-2006 at 09:11 AM. |
|
|
|
|
06-19-2006, 09:16 AM
|
#79 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,422
OS: N/A
|
Service C:\WINDOWS\System32:18467 (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!
Ah..we found the little devil. Now I need you to watch a little video. http://www.gmer.net/pe386.wmv The method outlined is simple enough. Just do like the example at the end of the video. Reboot your machine & do another gmer scan
__________________
Question - what have you done for the community today? |
|
|
|
|
06-19-2006, 09:23 AM
|
#80 (permalink) |
|
Registered User
Join Date: Jun 2006
Posts: 72
OS: XP Pro (SP2)
|
sUBs - this is way too complicated for me - the video runs too quickly, I'm not sure what software I need to download or where from and some of it isn't even in English - have you any written instructions to hand please? The vid also is not clear to read and the steps are understandable to me - sorry!
Ruth |
|
|
|
| Thread Tools | |
|
|
