Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.apropos.c Need Help!


  • This topic is locked This topic is locked
21 replies to this topic

#1 zemoman

zemoman

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA
  • Local time:05:20 PM

Posted 24 June 2006 - 02:08 PM

Hi this is my first post on bleeping computers. I have Norton Internet Security 2006 and the other day I started getiing pop-ups every couple of seconds from Norton saying I was infected with spyware.apropos.c I ran a full system scan with Norton but it didn't pick up anything. Can anyone PLEASE help me I know its a rootkit thing, but I don't know how to get rid of it. PLEASE HELP! :thumbsup:

THIS IS MY HJT SCAN THING:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:03 PM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\YOUSEF~1.YOU\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141267825558
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static.../weblaunch2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

AND THE ONLY SECURITY SOFTWARE I HAVE IS NORTON INTERNET SECURITY.
ROOTKITS BAD!

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 June 2006 - 06:35 PM

Hi zemoman and Welcome to the Bleeping Computer!

Can you tell me where Norton is saying the file (infection) is located at?


Download GMER from Here

Right Click the Zip and Select "Extract All"

Double Click gmer.exe to launch the program.

Click on the Rootkit Tab and then click Scan.

It takes a while to run,once complete,copy the results to notepad and save them somewhere safe.

Post those results in the next reply.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Post those 2 reports in the next reply please.

#3 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA

Posted 28 June 2006 - 12:52 AM

Ok sorry it took me a long to reply but I HAVE REALLY BAD NEWS see I called norton about this problem and they said to boot in to safe mode to remove it, so I reset my computer and then do the F8 thing then I put boot into safe mode. then it shows a bunch of system32 files (i think its supposed to show them) then my computer resets and it takes me to that F8 screen and it reads "we appoligise for the inconvenience but your computer was unable to boot into safe mode to protect your files" and then it says to boot into the last good configuration (which is to boot windows normally). The people at emachines (my computer manufacturer) say that my computer is slowing crashing or something like that and they said this spyware thing might of messed up my safe mode or something like that and the tech support guy also said he was :thumbsup: suprised i could boot back on to windows normally. SO I CAN'T BOOT INTO SAFE MODE. . FIRST OF ALL IS MY COMPUTER SLOWING CRASHING ( MY COMPUTER IS ACTING PERFECT ATTUALLY BETTER THEN EVER!) and SECOND OF ALL will i ever be able to get into safe mode and fix this spyware? I WILL DO ANYTHING TO GET INTO SAFE MODE ANYTHING! OR AT LEAST TRY TO REMOVE THIS SPYWARE FROM NORMAL MODE. PLEASE HELP ME! :flowers:

PS: SORRY FOR ANY SPELLING ERRORS I HAD TO TYPE THIS IN A HURRY AND ILL POST THE F-SECURE AND THAT OTHER SCAN RECORDS IN THE NEXT POST. PLEASE TRY TO HELP ME ON THIS FIRST

Edited by zemoman, 28 June 2006 - 12:56 AM.

ROOTKITS BAD!

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2006 - 04:07 AM

OK,lets try this.

Let me see a HijackThis Start Up log.

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.


This is a very quick scan,will only take a second or two.


Post the results in the next reply.

#5 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA
  • Local time:05:20 PM

Posted 28 June 2006 - 07:48 PM

HEY AND THANK YOU FOR HELPING ME ON THIS ISSUE.

OK THIS IS MY HJT START UP LIST THING:

StartupList report, 6/28/2006, 8:38:40 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\yousef a. mahmoud.YOUR-X6K5FONAOK\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5346.0005)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\yousef a. mahmoud.YOUR-X6K5FONAOK\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\yousef a. mahmoud.YOUR-X6K5FONAOK\Start Menu\Programs\Startup]
Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - yousef a. mahmoud.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[vmLaunch Class]
InProcServer32 = C:\WINDOWS\System32\vmlauncher.dll
CODEBASE = http://downloads.comcast.net/videomail/vmLauncher.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}]
CODEBASE = http://aolcc.aol.com/computercheckup/qdiagcc.cab

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://scan.safety.live.com/resource/downl...lscbase5059.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1141267825558

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[CWebLaunchCtl Object]
InProcServer32 = C:\WINDOWS\System32\weblaunch2.ocx
CODEBASE = https://support.gateway.com/eSupport/static.../weblaunch2.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[TikGames Online Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://download.games.yahoo.com/games/web_...inematycoon.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AOL TopSpeed Monitor: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Internet Security Password Validation: "C:\Program Files\Norton Internet Security\ccPwdSvc.exe" (manual start)
Symantec Network Proxy: "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM Host: "C:\Program Files\Norton Internet Security\comHost.exe" (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dump_wmimmc: \??\C:\WINDOWS\system32\drivers\dump_wmimmc.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
InCDPass: System32\DRIVERS\InCDPass.sys (system)
InCD Helper: C:\Program Files\Ahead\InCD\InCDsrv.exe (autostart)
InCD Helper (read only): C:\Program Files\Ahead\InCD\InCDsrv.exe -r (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (autostart)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee.com McShield: c:\PROGRA~1\mcafee.com\vso\mcshield.exe (disabled)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
MR97310 CIF Dual Mode Camera: System32\DRIVERS\mr97310c.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060628.020\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060628.020\NavEx15.Sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NPPTNT2: \??\C:\WINDOWS\System32\npptNT2.sys (system)
Norton Protection Center Service: "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE" (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Dual Mode USB Camera Plus: System32\Drivers\omcamvid.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
SaiH0255: system32\DRIVERS\SaiH0255.sys (manual start)
SaiMini: system32\DRIVERS\SaiMini.sys (manual start)
SaiNtBus: system32\drivers\SaiNtBus.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS (system)
Symantec AVScan: "C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{168CC031-7D69-417F-AC5B-396A6694C46A} (manual start)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20060614.094\symidsco.sys (manual start)
symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB Root Hub (usbport): System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing USN Journal Reader service: C:\WINDOWS\system32\svchost.exe -k usnsvc (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36,756 bytes
Report generated in 0.547 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
ROOTKITS BAD!

#6 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA

Posted 28 June 2006 - 08:25 PM

hey sry about not posting the GMER results here they are.

GMER LOG:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-28 21:21:50
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 829161A8 ZwAlertResumeThread
SSDT 8296ECB8 ZwAlertThread
SSDT 82A4DF58 ZwAllocateVirtualMemory
SSDT 82A06140 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 82ACDD10 ZwCreateMutant
SSDT 82A60EC8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 82A4BA78 ZwFreeVirtualMemory
SSDT 82AD1E58 ZwImpersonateAnonymousToken
SSDT 82A0E6B0 ZwImpersonateThread
SSDT 829DF108 ZwMapViewOfSection
SSDT 82B882F8 ZwOpenEvent
SSDT 82B440E8 ZwOpenProcessToken
SSDT 8299E240 ZwOpenThreadToken
SSDT 82B95968 ZwQueryValueKey
SSDT 828F0A10 ZwResumeThread
SSDT 829732F0 ZwSetContextThread
SSDT 82916730 ZwSetInformationProcess
SSDT 829AD230 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 82AD0370 ZwSuspendProcess
SSDT 829F7608 ZwSuspendThread
SSDT 82AC74C0 ZwTerminateProcess
SSDT 82991748 ZwTerminateThread
SSDT 82A18D18 ZwUnmapViewOfSection
SSDT 82A48F98 ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device \Driver\NtfiIde \Device\dmld35x IRP_MJ_CREATE 825734F1

---- Processes - GMER 1.0.10 ----

Process C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE (*** hidden *** ) 244 <-- ROOTKIT !!!
Library C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE (*** hidden *** ) @ C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE [244] 0x00400000 <-- ROOTKIT !!!
Library C:\PROGRAM FILES\AVAATION\ace.dll (*** hidden *** ) @ C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE [244] 0x10000000 <-- ROOTKIT !!!
Library C:\PROGRAM FILES\AVAATION\WinGenerics.dll (*** hidden *** ) @ C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE [244] 0x00A30000 <-- ROOTKIT !!!

Process C:\WINDOWS\SYSTEM32\AAMIXSSO.EXE (*** hidden *** ) 260 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\AAMIXSSO.EXE (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\AAMIXSSO.EXE [260] 0x00400000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\Program Files\Avaation
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}
File C:\WINDOWS\system32\aamixsso.exe
File C:\WINDOWS\system32\drivers\tsbkdump.sys

---- EOF - GMER 1.0.10 ----
ROOTKITS BAD!

#7 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA
  • Local time:05:20 PM

Posted 28 June 2006 - 10:36 PM

Hi I tryed to post a F-secure scan log but there was a problem, in the scan when it got to 5677 hidden processes found it froze and said to try the scan again so i tryed again and the same thing happened.

Ok this is the story of these hidden processes. Lets go back to the beginning of this year I used to have aol 9.0 as my ISP. Soon after a month with aol I needed a security software, so I downloaded aol safety and security center. All went perfect until I started getting a firewall pop up one day from the security software there were 2 files trying to access the internet one was a file called aamixsso and another was avaation. I always put block access untill the alerts finally disappeared one day. After about 3 months I got comcast and deleted all my aol stuff (including aol safety and security software). After about a week I downloaded MAcafee anti-virus from comcast. Soon after about a week I found out a needed a firewall so I got one, after about 2 days I started getting those firewall alerts from my comcast MAcafee firewall pro again aamixsso and avaation were both trying to access the internet. A month past and the firewall alerts disappeared. Soon after a couple of days my computer was acting funny so I found out i needed a anti-spyware program and downloaded SPYWARE DOCTOR! When I scanned my computer with it, it told me to restart my computer so i did, after a couple of days I turned on my computer and every thing on my desktop was missing except my recycle bin, many of my programs were missing, my computer looked like the day I first bought it. Soon after I tryed to reinstall windows but my computer wouldn't read the cd at boot time, I checked my BIOS settings and put cd drive as the first thing to load during start up BUT nothing it still wouldn't take my restore cd to reinstall windows. So the only thing I could do was to delete spyware doctor, so I did and I updated my system to security pack 2 and I also got some other important updates. See the problem with my system was when I shut down and started my computer NOTHING WOULD SAVE, say for examlpe I put a setting on my computer such as a desktop and restart my computer it would be the desk top I had before I changed the setting. So after I reinstalled MAafee. Then one day my MAcafee started acting funny (my MAcafee anti-virus kept turing its self off) so I called comcast and found out it was corrupted. I then deleted MAcafee off my computer and got Windows Live One Care Beta as my security software. Then after a day i started getting firewall alert from 3 files now one was a program called avaation the other was aamixsso and the 3rd new one was something called bmpcltui (YOU CAN SEE THE FULL NAME OF THESE FILES ON THE GMER RESULT THING). So as I was saying these files were always trying to access the internet, and the thing that really stunk is that the alerts wouldn't go away, they were so annoying always popping up asking for access to the internet ( I would always put block access ). One day I got really annoyed by then and called Microsoft the developers of Windows Live One Care. So an agent got remote access to my desk top to search for these files. He had finally found them in the PREFETCH folder, he deleted then from the prefetch folder and my registry keys. We both thought these files were gone for good but they came back the next day. So I had the final straw so I got NIS 2006. So i think you can take the story from there because i've already explained to you about getting that spyware.apropos.c thing...and you know. So this is how it all happened. See if you want the full name for the files aamixsso, bmpcltui, and avaation you can just look them up in the rootkit files section of the GMER scan results in the last post. THANK YOU FOR GIVING YOUR TIME TO HELP ME WITH MY PROBLEMS I REALLY APPRECIATE IT! :thumbsup:
ROOTKITS BAD!

#8 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA
  • Local time:05:20 PM

Posted 29 June 2006 - 02:06 PM

Hi I did another scan with GMER agian today and I found system modifictations from rootkit activity. Take a look. PLEASE HELP ME!

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-29 15:02:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 829E0710 ZwAlertResumeThread
SSDT 829E08A0 ZwAlertThread
SSDT 829D33E8 ZwAllocateVirtualMemory
SSDT 829D2EE0 ZwConnectPort
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwCreateKey
SSDT 829E04D0 ZwCreateMutant
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwCreateProcess
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwCreateProcessEx
SSDT 829DB008 ZwCreateThread
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwDeleteKey
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwDeleteValueKey
SSDT 8298DE60 ZwFreeVirtualMemory
SSDT 829E0590 ZwImpersonateAnonymousToken
SSDT 829E0650 ZwImpersonateThread
SSDT 829CCC60 ZwMapViewOfSection
SSDT 829E0410 ZwOpenEvent
SSDT 82990D00 ZwOpenProcessToken
SSDT 829D0BF8 ZwOpenThreadToken
SSDT 82AD9940 ZwQueryValueKey
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwRenameKey
SSDT 82992310 ZwResumeThread
SSDT 829E7690 ZwSetContextThread
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwSetInformationKey
SSDT 82A1C008 ZwSetInformationProcess
SSDT 829E0BA8 ZwSetInformationThread
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwSetValueKey
SSDT 829E0350 ZwSuspendProcess
SSDT 829E0A28 ZwSuspendThread
SSDT 82967978 ZwTerminateProcess
SSDT 829E0AE8 ZwTerminateThread
SSDT 82A07C68 ZwUnmapViewOfSection
SSDT 82ACFE78 ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [EE3CD20C] SSI.SYS
Device \Driver\NtfiIde \Device\dmld35x IRP_MJ_CREATE 82A644F1
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [EE3CD20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [EE3CD20C] SSI.SYS

---- Processes - GMER 1.0.10 ----

Process C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE (*** hidden *** ) 244 <-- ROOTKIT !!!
Library C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE (*** hidden *** ) @ C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE [244] 0x00400000 <-- ROOTKIT !!!
Library C:\PROGRAM FILES\AVAATION\ace.dll (*** hidden *** ) @ C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE [244] 0x10000000 <-- ROOTKIT !!!
Library C:\PROGRAM FILES\AVAATION\WinGenerics.dll (*** hidden *** ) @ C:\PROGRAM FILES\AVAATION\BMPCLTUI.EXE [244] 0x00A30000 <-- ROOTKIT !!!

Process C:\WINDOWS\SYSTEM32\AAMIXSSO.EXE (*** hidden *** ) 260 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\AAMIXSSO.EXE (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\AAMIXSSO.EXE [260] 0x00400000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\Program Files\Avaation
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{1DF014E9-2A7C-4277-BD8A-14E12CE58FD5}
File C:\WINDOWS\system32\aamixsso.exe
File C:\WINDOWS\system32\drivers\tsbkdump.sys

---- EOF - GMER 1.0.10 ----
ROOTKITS BAD!

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2006 - 07:13 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

#10 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA
  • Local time:05:20 PM

Posted 29 June 2006 - 08:44 PM

I cant't boot in to safe mode when I try to boot into safe mode my computer resets and goes back to the F8 screen and on the top of that sreen there it says "we apologies for the inconvenience but your computer was unable to boot into safe mode to protect files on your computer". So will I ever be able to boot into safe mode? CAN YOU PLEASE HELP ME! :thumbsup:
ROOTKITS BAD!

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 July 2006 - 05:00 AM

Try running the fix from Normal Mode.

#12 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA
  • Local time:05:20 PM

Posted 01 July 2006 - 10:20 PM

when i download it it shows up on my desktop ( i think it is already unzipped ) and when i double click on it and then double click on the runthis icon it syas it will not work if im not in safe mode should i still run it?
ROOTKITS BAD!

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 July 2006 - 05:35 AM

Please post an uninstall list please,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.


#14 zemoman

zemoman
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:United States, Everett, MA

Posted 03 July 2006 - 02:55 PM

OK HERE IT IS:

AI RoboForm (All Users)
CC_ccProxyExt
ccCommon
CCleaner (remove only)
ccPxyCore
Conexant SoftK56 Modem(M)
CXP Plug-In
Dr Watson for Microsoft Windows OneCare Live v1.0.0971.12
Dragon NaturallySpeaking 8
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
Intel® 845G Chipset Graphics Driver Software
Internet Explorer 7 Beta 2
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
McAfee Clean Up Tool
Microsoft .NET Framework 2.0
Microsoft XML Parser and SDK
MSRedist
MSXML 4.0 SP2 Parser and SDK
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
Norton WMI Update
PestPatrolv5
RentMaster
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SPBBC
SST Programming Software
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB914882)
Viewpoint Media Player
Westwood Shared Internet Components
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Safety Scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! Messenger
ROOTKITS BAD!

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 July 2006 - 04:13 PM

Guess we are going to have to try to do this the hard way.

Post a fresh HijackThis Start Up log.

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.


EDIT: Do me a favor and see if this tool will allow you to boot into safe mode.
http://www.superadblocker.com/bootsafe.html

Select Safe Mode-Minimal and lets see what happens.

Edited by Cretemonster, 03 July 2006 - 04:35 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users