Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new rootkit variant for the family sp##.sys


  • This topic is locked This topic is locked
9 replies to this topic

#1 _T_

_T_

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 23 May 2011 - 09:44 AM

The case involves 3 pc-s from different users. I recognized the similar rootkit method, and started a comprehensive effort. I'm yet unabe to eradicade it. To put it down in this report, I'll expose the details of the most compromised one: the one with some P2P clients + MMORPG installed + chinese usb drives.

WHAT I'VE FOUND (on all 3 pc's)
-----------------------------------
(1) a lot of hijacks in SSDT. 50% with a named driver, 50% hex addresses (0x???????).

(2) the stealth driver uses a pattern for filename. "sp??.sys". The name varies from machine to machine.
Some names i've found so far:
- spwa.sys
- spek.sys
- spxe.sys
- spbz.sys
- spom.sys
- sppn.sys

(3) interesting, it can survive gmer/rootrepeal action. If you remove it and reboot,you'll find it back in place, with a new name respecting the pattern (e.g you remove spex.sys, reboot, detect spfu.sys).

(4) the rootkit is detectable in aswMBR. some examples:
01:15:20.968 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spek.sys >>UNKNOWN [0x8738a938]<<
19:27:27.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spxe.sys >>UNKNOWN [0x8738a938]<<
21:03:16.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spom.sys >>UNKNOWN [0x8738a938]<<


INSIGHTS
------------------------
The target computer has been using Comodo Firewall (free), which appears often in SSDT, and Avira Antivir Personal (free) and Spybot (free) and SuperAntiSpyware and MalwareBytes (free). The user seems wise, but that rootkit is evil.

I dumped the sp??.sys with rootrepeal. The file seems different from machine to machine. The file remains the same "inside one machine". That is, if you remove it via gmer, the rootkit comes back at next reboot as I said, but it's the same file on that machine. I'm attaching it to make this case easier and let you analyze the code.

Rootrepeal shows a lot of hijack in IRQ's too. I'll attach RootRepeal log, too.

I dumped the MBR with aswMBR, and again I'll attach it to make your work easier.

Avira Rescue CD was able to find a botnet installer inside a .zip. Detection was "Zbot". I wonder if the user ran it...

Combofix ran (without script), detected and deleted 3 malware, but not the rootkit. I'll attach both the log and the quarantined files for your eyes.

Malware bytes got 1 registry doubtful configuration. Nothing else. The log is attached, obviously.

The target machine had an alcohol 120% but it was removed long time ago.

HALL OF FAIL (who failed so far) all tools were updated!
---------------------------------------------------------
Avira Antivir Personal: failed as base protection
Comodo Firewall: as above, in the firewall role.
Spybot S&D: ran, got just some tracing cookies.
Malware Bytes: ran, got 1 registry malconfiguration. I was expecting more from this guy.
gmer: doesn't suffice alone. Tried "restore SSDT" on all hooks. The evil got back at next reboot.
RootRepeal: goot detection, no cleaning. You can restore SSDT from here, and nothing happens. The rootkit retains the hooks. Or justs re-infects in microseconds. Can't clean IRQ from here.
Combofix: doesn't suffice without a CFscript. Deleted 3 files (other malware) but not the rootkit. I left it installed just in case.
Avira Rescue CD: found a botnet installer inside a .zip file. no rootkit detection.
Kaspersky Rescue Disk: nothing found.
TDSS killer: found that c:\windows\system\sptd is blocked. Sounded promising. Went ahead and got "system not infected" at end of scan. weird.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by me at 9:55:28 on 2011-05-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1022.238 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {00000000-0012-0014-00EC-FD7F00000802}
AV: AntiVir Desktop *Enabled/Updated* {001300D4-0000-0000-1000-00007454927C}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-1200-140000ECFD7F}
AV: AntiVir Desktop *Disabled/Updated* {00000002-0002-0000-6C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-1200-140000FCFD7F}
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {001400D4-0000-0000-1000-00007454927C}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0012-0014-00DC-FD7F00000802}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-2303-927C0000FD7F}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0012-0014-00FC-FD7F00000802}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-1200-140000DCFD7F}
FW: COMODO Firewall Pro *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Programmi\Process Blocker\Process Blocker.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\IObit\Smart Defrag 2\SmartDefrag.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Everything\Everything.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\FreeSoft\Uranium\Uranium.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\Programmi\Taskbar Shuffle\taskbarshuffle.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\Launchy\Launchy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\me\Dati applicazioni\Dropbox\bin\Dropbox.exe
C:\Programmi\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\DOCUME~1\me\IMPOST~1\Temp\TeamViewer\Version6\TeamViewer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\uTorrent\uTorrent.exe
c:\docume~1\me\impost~1\temp\teamviewer\version6\TeamViewer_Desktop.exe
C:\DOCUME~1\me\IMPOST~1\Temp\TeamViewer\Version6\tv_w32.exe
D:\Desktop\assist\dds23552.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = hxxp://www.google.it/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Uranium] c:\programmi\freesoft\uranium\Uranium.exe reg
uRun: [Taskbar Shuffle] c:\programmi\taskbar shuffle\taskbarshuffle.exe
mRun: [ATIPTA] c:\programmi\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\programmi\analog devices\soundmax\SMax4PNP.exe
mRun: [Apoint] c:\programmi\apoint2k\Apoint.exe
mRun: [hpWirelessAssistant] c:\programmi\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\programmi\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\programmi\hpq\default settings\cpqset.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] "c:\programmi\hp\hp software update\HPWuSchd2.exe"
mRun: [Everything] "c:\programmi\everything\Everything.exe" -startup
mRun: [COMODO Firewall Pro] "c:\programmi\comodo\firewall\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\programmi\file comuni\adobe\arm\1.0\AdobeARM.exe"
mRun: [snpstd] c:\windows\vsnpstd.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\me\menuav~1\progra~1\esecuz~1\dropbox.lnk - c:\documents and settings\me\dati applicazioni\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\me\menuav~1\progra~1\esecuz~1\screen~1.lnk - c:\programmi\wisdom-soft screenhunter 5 free\ScreenHunter.exe
StartupFolder: c:\docume~1\me\menuav~1\progra~1\esecuz~1\todotx~1.lnk - d:\my dropbox\TODO.txt
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\launchy.lnk - c:\programmi\launchy\Launchy.exe
IE: Add to &Teleport
IE: Download with GetRight
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel
IE: MediaManager tool grab multimedia file - c:\programmi\mp3 player utilities 4.00\mediamanager\grab.html
IE: Open with GetRight Browser
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
LSP: c:\windows\system32\PGPlsp.dll
DPF: {00000055-9980-0010-8000-00AA00389B71}
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A}
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141641708437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
TCP: {444185EC-68A3-4B77-962D-FF500F41E426} = 208.67.222.222,208.67.220.220
TCP: {50ECF7E9-1C59-4581-9417-D76C4162D0B4} = 192.168.1.1
Notify: !SASWinLogon - c:\programmi\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\programmi\stardock\fences\FencesMenu.dll
SEH: RadExeExt Class: {35b2861b-2b26-4691-9ff0-09083722c736} - c:\windows\system32\RadExe.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programmi\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\me\dati applicazioni\mozilla\firefox\profiles\8ei3d7f4.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - plugin: c:\documents and settings\me\impostazioni locali\dati applicazioni\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: TrackMeNot: trackmenot@mrl.nyu.edu - %profile%\extensions\trackmenot@mrl.nyu.edu
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: ShowIP: {3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d} - %profile%\extensions\{3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} - %profile%\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Extended Statusbar: {daf44bf7-a45e-4450-979c-91cf07434c3d} - %profile%\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Clipmarks: {e1170235-2845-420c-acc3-42261a29dd46} - %profile%\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
FF - Ext: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - %profile%\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
FF - Ext: Media Converter: {6e764c17-863a-450f-bdd0-6772bd5aaa18} - %profile%\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Firecookie: firecookie@janodvarko.cz - %profile%\extensions\firecookie@janodvarko.cz
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} - %profile%\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Ext: Multiple Tab Handler: multipletab@piro.sakura.ne.jp - %profile%\extensions\multipletab@piro.sakura.ne.jp
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: Tab Scope: tabscope@xuldev.org - %profile%\extensions\tabscope@xuldev.org
FF - Ext: ErrorZilla Mod: ErrorZillaMod@jaybaldwin - %profile%\extensions\ErrorZillaMod@jaybaldwin
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-28 28544]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-20 13496]
R1 avgio;avgio;c:\programmi\avira\antivir desktop\avgio.sys [2009-5-19 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-6-11 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-11 24208]
R1 SASDIFSV;SASDIFSV;c:\programmi\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirScheduler;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2009-5-19 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programmi\avira\antivir desktop\avguard.exe [2009-5-19 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-19 56816]
R2 cmdAgent;COMODO Firewall Pro Helper Service;c:\programmi\comodo\firewall\cmdagent.exe [2010-6-11 519936]
R2 Process Blocker;Process Blocker;c:\programmi\process blocker\Process Blocker.exe [2010-4-22 106712]
S2 esentprf32;Server Database Storage Performance Library;c:\windows\system32\rundll32.exe esentprf32.dll,uhon --> c:\windows\system32\rundll32.exe esentprf32.dll,uhon [?]
S3 IrCOMM2k;Virtual IR COM Port;c:\windows\system32\drivers\ircomm2k.sys --> c:\windows\system32\drivers\ircomm2k.sys [?]
S3 IrDAFw2k;IrDA Forward Adapter;c:\windows\system32\drivers\irdafw2k.sys --> c:\windows\system32\drivers\irdafw2k.sys [?]
S3 PORTMON;PORTMON;\??\c:\programmi\utilities\portmsys.sys --> c:\programmi\utilities\PORTMSYS.SYS [?]
S3 ZD1211U(Sitecom);Sitecom Wireless Network USB Adapter 54G WL-117(Sitecom);c:\windows\system32\drivers\ZD1211U.sys [2007-11-30 233472]
S4 ConnectionMonitor;ConnectionMonitor;"c:\docume~1\me\impost~1\temp\~acetemp\connectionmonitor_eng\connectionmonitor.exe" /run_service --> c:\docume~1\me\impost~1\temp\~acetemp\connectionmonitor_eng\ConnectionMonitor.exe [?]
S4 HDDlife HDD Access service;HDDlife HDD Access service;c:\programmi\file comuni\binarysense\hldasvc.exe [2007-8-9 816376]
S4 MGTZL;MGTZL;c:\docume~1\me\impost~1\temp\mgtzl.exe --> c:\docume~1\me\impost~1\temp\MGTZL.exe [?]
S4 WYN;WYN;c:\docume~1\me\impost~1\temp\wyn.exe --> c:\docume~1\me\impost~1\temp\WYN.exe [?]
.
=============== Created Last 30 ================
.
2011-05-21 14:33:33 -------- d-----w- c:\programmi\Process Blocker
2011-05-14 19:23:16 -------- d-sha-r- C:\cmdcons
2011-05-14 19:18:57 98816 ----a-w- c:\windows\sed.exe
2011-05-14 19:18:57 89088 ----a-w- c:\windows\MBR.exe
2011-05-14 19:18:57 256512 ----a-w- c:\windows\PEV.exe
2011-05-14 19:18:57 161792 ----a-w- c:\windows\SWREG.exe
2011-05-12 23:25:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 18:11:12 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-05-01 21:19:08 -------- d-----w- C:\latino51 avanzato
.
==================== Find3M ====================
.
2011-03-07 05:33:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 22:27:44 49 ----a-w- c:\windows\wpd99.drv
2011-03-05 12:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:36:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53:31 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 16:04:32 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-02-23 15:54:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-02-22 23:05:47 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:05:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:05:47 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42:13 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 9.57.03,35 ===============

Attached Files


Edited by Noviciate, 26 May 2011 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:22 PM

Posted 23 May 2011 - 04:56 PM

Good evening. :)

http://www.bleepingcomputer.com/startups/sptd.sys-13477.html - sptd.sys is a legitimate driver for some disk emulation software which is responsible for a semi-randomly named driver sp**.sys. I understand that it is also part of some burning software...

The target machine had an alcohol 120% but it was removed long time ago.

It may be that it didn't all get uninstalled. If you look at the CF log:

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/05/2009 20.13.28 717296]

I suggest you remove the driver and see if your mystery drivers stop appearing.

So long, and thanks for all the fish.

 

 


#3 _T_

_T_
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 24 May 2011 - 02:50 AM

Thanks for the hint. I'll do that asap. I'm thinking that a rootkit gained full control of that .sys driver, so denied the proper unistall of Alcohol to survive. Nowdays, it stays within the driver.
This can also explain this behaviour:

SAFE MODE UNLOADS SPTD.SYS
-------------------------------------
Reboot to safe mode
durint startup, keep pressin F8 or CTRL
select "Safe mode".
be careful now
watch the load of drivers in the last screen row
press ESC quicky when you see that "Press ESC to stop loading SPTD.SYS". It lasts only 3 seconds.
You now access Windows XP in safe mode, SPTD non loaded.
gmer and rootrepeal show NO HOOKS AT ALL IN SSDT: no SP??.sys hooks but also and no malicious HEX 0x??????? hooks
gmer log is a lot cleaner in all other areas.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:22 PM

Posted 24 May 2011 - 04:07 PM

Good evening. :)

If the only issue you have with the driver is the hooks, then you may be misjudging it. Such items are used by both malicious and legitimate software and sptd.sys, if it were legitimate, would use them.
With a quick Google: http://forum.alcohol-soft.com/index.php?/topic/29415-purpose-of-sptdsys/

So long, and thanks for all the fish.

 

 


#5 _T_

_T_
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 25 May 2011 - 03:12 AM

SPTD removed. (using this howto)

I'm attaching the new scans.

with gmer, I got rid of these entries ("restore code" action):
---- Kernel code sections - GMER 1.0.15 ----

.text           USBPORT.SYS!DllUnload                                                                                                                                  F6FE68AC 5 Bytes  JMP 870674E0 
.text           ntdll.dll!NtClose                                                                                                                                      7C91CFEE 5 Bytes  JMP 00395060 
.text           ntdll.dll!LdrUnloadDll     

---- User code sections - GMER 1.0.15 ----
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ntdll.dll!NtQueryInformationProcess                            7C91D7FE 5 Bytes  JMP 00469CE0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] kernel32.dll!DeviceIoControl                                   7C801629 7 Bytes  JMP 00469FB0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] kernel32.dll!CreateFileA                                       7C801A28 5 Bytes  JMP 00469D70 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] kernel32.dll!CreateFileW                                       7C810800 5 Bytes  JMP 00469EC0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] kernel32.dll!IsDebuggerPresent                                 7C813133 6 Bytes  JMP 0054BB30 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegOpenKeyExW                                     77F46AAF 5 Bytes  JMP 0041F130 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegCloseKey                                       77F46C27 5 Bytes  JMP 0041EE60 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegQueryValueExW                                  77F46FFF 5 Bytes  JMP 0041F250 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegCreateKeyExW                                   77F4776C 5 Bytes  JMP 0041EF20 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegOpenKeyExA                                     77F47852 5 Bytes  JMP 0041F100 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegOpenKeyW                                       77F47946 5 Bytes  JMP 0041F0E0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegQueryValueExA                                  77F47ABB 5 Bytes  JMP 0041F220 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegEnumKeyExW                                     77F47BD9 5 Bytes  JMP 0041F030 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegEnumValueW                                     77F47EED 5 Bytes  JMP 0041F090 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegSetValueExW                                    77F4D767 7 Bytes  JMP 0041F310 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegQueryValueW                                    77F4D87A 5 Bytes  JMP 0041F1F0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegCreateKeyExA                                   77F4E9F4 5 Bytes  JMP 0041EF00 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegSetValueExA                                    77F4EAE7 7 Bytes  JMP 0041F2E0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegDeleteValueA                                   77F4ECE5 5 Bytes  JMP 0041EFA0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegDeleteValueW                                   77F4EDF1 5 Bytes  JMP 0041EFD0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegOpenKeyA                                       77F4EFC8 5 Bytes  JMP 0041F0C0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegDeleteKeyA                                     77F542A0 5 Bytes  JMP 0041EF40 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegQueryInfoKeyA                                  77F54332 5 Bytes  JMP 0041F160 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegQueryInfoKeyW                                  77F549CE 5 Bytes  JMP 0041F190 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegEnumKeyExA                                     77F551B6 5 Bytes  JMP 0041F000 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegDeleteKeyW                                     77F5559B 5 Bytes  JMP 0041EF70 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegFlushKey                                       77F64CE0 5 Bytes  JMP 0041EE90 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegEnumValueA                                     77F69BBF 5 Bytes  JMP 0041F060 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegCreateKeyW                                     77F6BA55 5 Bytes  JMP 0041EEE0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegQueryValueA                                    77F6BB8D 5 Bytes  JMP 0041F1C0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegCreateKeyA                                     77F6BCF3 5 Bytes  JMP 0041EEC0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegSetValueA                                      77F6C79E 5 Bytes  JMP 0041F280 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ADVAPI32.dll!RegSetValueW                                      77FA6116 5 Bytes  JMP 0041F2B0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] ole32.dll!CoCreateInstance                                     774CF1AC 5 Bytes  JMP 0041F4F0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] USER32.dll!ChangeDisplaySettingsExA                            7E3A384E 5 Bytes  JMP 00473CC0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2976] USER32.dll!ChangeDisplaySettingsExW                            7E3D95BD 5 Bytes  JMP 00473CF0 C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text           C:\Programmi\Mozilla Firefox\firefox.exe[3432] ntdll.dll!LdrLoadDll

I'm still concerned by this ones:
unnamed hooks - I've tried "restore SSDT". They reappear at every reboot
SSDT            F7B1F41E                                                                                                                              ZwCreateKey
SSDT            F7B1F414                                                                                                                              ZwCreateThread
SSDT            F7B1F423                                                                                                                              ZwDeleteKey
SSDT            F7B1F42D                                                                                                                              ZwDeleteValueKey
SSDT            F7B1F432                                                                                                                              ZwLoadKey
SSDT            F7B1F400                                                                                                                              ZwOpenProcess
SSDT            F7B1F405                                                                                                                              ZwOpenThread
SSDT            F7B1F43C                                                                                                                              ZwReplaceKey
SSDT            F7B1F437                                                                                                                              ZwRestoreKey
SSDT            F7B1F428                                                                                                                              ZwSetValueKey
SSDT            F7B1F40F                                                                                                                              ZwTerminateProcess
kernel entries. I've tried "restore code". They reappear at every reboot.
init            C:\WINDOWS\system32\drivers\tifm21.sys                                                                                                entry point in "init" section [0xF6E338BF]
init            C:\WINDOWS\system32\drivers\senfilt.sys                                                                                               entry point in "init" section [0xF6D38F80]
?               C:\DOCUME~1\me\IMPOST~1\Temp\mbr.sys                                                                                                  Impossibile trovare il file specificato. !
files ?suspicious?
2011-05-24 05:54:40	98816	----a-w-	c:\windows\sed.exe
2011-05-24 05:54:40	89088	----a-w-	c:\windows\MBR.exe
2011-05-24 05:54:40	256512	----a-w-	c:\windows\PEV.exe
2011-05-24 05:54:40	161792	----a-w-	c:\windows\SWREG.exe
I maxed my quota. The above files are here, external link

What should I do?

Attached Files


Edited by _T_, 25 May 2011 - 04:06 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:22 PM

Posted 25 May 2011 - 01:56 PM

Good evening. :)

Does the PC has any symptoms of an infection or are you working on the presumption that if it shows up in a rootkit scanner, it must be a rootkit and hence malicious?

So long, and thanks for all the fish.

 

 


#7 _T_

_T_
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 26 May 2011 - 03:21 AM

Symptoms:

1. blocked jotti.org. you can't connect to the popular online virusscan.jotti.org

2. continuos malware reinfections. Whenever I wipe one malware, it last 2-3 days until a new malware infect the system.

3. slow pc startup (10 minutes ca)

4. system slowdown, unresponsiveness, ms office takes minutes to start.

5. slow shutdown (15 minutes)

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:22 PM

Posted 26 May 2011 - 01:19 PM

Good evening. :)

The case involves 3 pc-s from different users.

Are these computers networked and are they business machines?

Edit: Install Date: 05/03/2006 3.34.38

Given the Windows installation date is over five years ago, i'd expect a degree of system slowdown from normal usage anyway.
Have you considered cutting your losses and just reformating and reinstalling the OS?

Edited by Noviciate, 26 May 2011 - 03:32 PM.

So long, and thanks for all the fish.

 

 


#9 _T_

_T_
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 27 May 2011 - 03:46 AM

machine1 (used in the post) => user1, personal pc, home usage, p2p, online games
machine2 = user2!=user1, business machine in front office, LAN with machine3
machine3 = user3!=user2!=user1, business machine in backoffice, LAN with machine2.

I'll evaluate the re-formatting idea with the users. If they do not agree, which options we still have to address the case?

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:22 PM

Posted 27 May 2011 - 01:44 PM

Good evening. :)

With business machines, i'm not sure you have any other real options if you want guaranteed data security. The potential risks outweigh the time taken to reformat and reinstall and it would be my first and only choice if they were PCs in my company. You also need to take into account the potential for cross-network infection and so both PCs would need to be isolated for the duration of any cleaning, which may not be ideal.
It is a worst case scenario that drives the idea of R&R, but given the relatively small investment of time that you would have to make to do it, it is justified in my opinion to ensure a clean machine.


With the Home PC, again i'm not sure you have a great deal of choice, but this time more from the length of time the OS has been up and running. Operating systems slow down with use and installations/uninstallations and updates and nothing except a fresh install will solve that slowdown - I reinstall mine about every six months to keep things moving at their peak. When you add in the peer-to-peer software with it's inherent risk of infection, i'd wipe this one straight away too. Removing the infections won't solve the speed issues and it seems to me pointless to play hunt the infection if you are going to need to R&R at the end of it anyway.

EDIT: If you aren't willing to R&R the business machines then feel free to start fresh threads for each machine and somebody will be along as soon as to help. Without further information it's difficult to make a definitive judgement on this issue, but i'd still go with a fresh start as they are business machines.

Edited by Noviciate, 27 May 2011 - 02:04 PM.

So long, and thanks for all the fish.

 

 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users