Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2nd posting - Two system roots at boot time?


  • This topic is locked This topic is locked
27 replies to this topic

#1 dianasaur

dianasaur

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 05 June 2011 - 06:00 PM

Hello again :busy:

I was asked to resubmit my original post,

http://www.bleepingcomputer.com/forums/topic399685.html

I forgot to mention in my first post the OS's of the machines involved--they are a mix of Windows XP, Windows 7, and Windows Server 2003. I have scrubbed the drives and rebuilt several of the machines multiple times, but the problems persist. Complete devastation.

A copy of the original post follows the scan results for DDS and GMER below...

Thanks again




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

DDS Scan

The DDS scan was unable to finish. The black window popped up briefly (not long enough to read anything in it) then disappeared. No log file was produced and no error messages showed up in the system event logs.


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


GMER Scan
Here are the results of the GMER scan:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-05 15:27:30
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-e ST3500320AS rev.SD1A
Running: gmer.exe; Driver: C:\DOCUME~1\JOHN&D~1\LOCALS~1\Temp\uwryypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwClose [0xA8FF8842]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwCreateKey [0xA8FF8638]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwDeleteKey [0xA8FF84E0]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwDeleteValueKey [0xA8FF8526]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwEnumerateKey [0xA8FF8426]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwEnumerateValueKey [0xA8FF8382]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwFlushKey [0xA8FF847A]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwLoadKey [0xA8FF89A6]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwOpenKey [0xA8FF8804]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwQueryKey [0xA8FF8072]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwQueryValueKey [0xA8FF819A]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwSetValueKey [0xA8FF82BE]
SSDT \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS (Process Monitor Driver/Sysinternals - www.sysinternals.com) ZwUnloadKey [0xA8FF8AF6]

---- EOF - GMER 1.0.15 ----


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

<copy of original post>
I work with a bunch of networked computers that have been acting very strange for the past few months. Some are periodically unable to read CD/DVD-ROM drives, and won't boot from them unless I pull and replace their CMOS batts & RAM. Printers and scanners keep disappearing, sometimes coming back on their own and other times requiring reinstallation. Microsoft Word & Excel crash a lot, and always want to recover files that don't exist.

System Event logs have a few entries in common--winlogon.exe events ("The shell stopped unexpectedly and Explorer.exe was restarted", HHCTRL events (description unknown), and periodic disk events (timeouts, bad blocks).

Two machines have hard drives that can't be examined from any other system--they're either not seen or cause an immediate BSOD. I was able to access one drive from a linux system, but afterward that system was unable to display file system type and disk usage information for any of its volumes.

Most have lots of file corruption--chkdsk has to be run frequently to avoid BSODs. Sometimes scheduling chkdsk at startup fails--the system is unable to access volume for the chkdsk, but the OS still loads fine. Even weirder, if I keep trying the disk check will eventually run.

Malware scans usually come up clean. RootRepeal and Radix sometimes show hidden processes or handles; RootRepeal showed an mbr rootkit on two of them, but I was unable to remove it and had to rebuild them; Norman Malware Cleaner sometimes shows a process infected with W32/Delf.FFWG

There is one thing that they all seem to have in common. Enabling boot logging in Sysinternals' ProcMon shows what appear to be two system roots during startup, (C:\) and (C:C:\). (C:\) looks normal, and (C:C:\) always looks like this:

C:C:
C:C:\WINDOWS
C:C:\WINDOWS\system32
C:C:\WINDOWS\system32\autochk.exe.Local
C:C:\WINDOWS\system32\csrss.exe.Local
C:C:\WINDOWS\system32\winlogon.exe.Local
C:C:\WINDOWS\system32\winlogon.exe.Local\

The system files with the .Local extension always result in PATH NOT FOUND or NAME INVALID in the boot log. All logs show autorun.inf, HVDVD_TS, and video_TS entries in C:\ that I can't see from within Windows. There are a growing number of other files that only show up in the procmon logs, but they seem to be different for each machine.

I don't know very much about ProcMon, and am not sure what to make of the results. It seems like there are two roots on the affected machines, and that's why there's so much confusion with the drives. I don't see the C:C: root when I run the utility on other computers.

Are the ProcMon results normal? If so, do any of the other symptoms sound familiar?

Thanks for all your help,
DianaM

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 15 June 2011 - 08:04 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 16 June 2011 - 04:22 AM

Hello m0le,

Yes, I'm still here, and ready to kick some worm-butt. :crazy:

We now have about 20 machines that appear to have the same thing...at least 3 servers, 9 workstations, a few laptops and 3 home computers I've led to slaughter in trying to get rid of it. Somehow it seems to be surviving complete system rebuilds, even with DOD scrubbing of the hard drives beforehand, and coming back even more vicious each time.

... :busy: Watching the thread and ready when you are!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 16 June 2011 - 05:52 PM

This is the most machines on a network I have had to deal with online. This is gonna be fun!!

I have suspicions about the rootkit which is controlling this, it survives rebuilds and it might be extremely difficult to detect. How able are you to disconnect the network for a period of time?

In the meantime let's see if we can find the culprit. aswMBR is the most up-to-date tool available so we'll start with running this on the workstations

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Please post the logs one after another naming them PC1 - PC9. The laptop and home systems can wait as they aren't connected to this network I am assuming.
Posted Image
m0le is a proud member of UNITE

#5 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 17 June 2011 - 07:40 AM

Hi Mole,

I actually live about 150 miles away from the servers, and the servers themselves are in a separate location from the office workstations. The office workstations and our computers here log on to the servers via Terminal Services. I had picked one of my computers here as a representative of the lot, but there are six others local to me that we can work on if you wish.

Here are the aswMBR logs for two of my machines. I will run the same scans on the other local machines today as well; please let me know if you would like me to post results for all seven.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-17 02:39:40
-----------------------------
02:39:40.875 OS Version: Windows 5.1.2600 Service Pack 3
02:39:40.875 Number of processors: 4 586 0x1C0A
02:39:40.875 ComputerName: EMMASAUR UserName:
02:39:41.187 Initialize success
02:40:02.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
02:40:02.671 Disk 0 Vendor: WDC_WD1600JS-75NCB3 10.02E04 Size: 152587MB BusType: 3
02:40:04.703 Disk 0 MBR read successfully
02:40:04.703 Disk 0 MBR scan
02:40:04.703 Disk 0 Windows XP default MBR code
02:40:06.703 Disk 0 scanning sectors +312496380
02:40:06.734 Disk 0 scanning C:\WINDOWS\system32\drivers
02:40:10.812 Service scanning
02:40:11.703 Disk 0 trace - called modules:
02:40:11.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
02:40:11.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a664ab8]
02:40:11.718 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000060[0x8a6f8be0]
02:40:11.718 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a654d98]
02:40:11.718 Scan finished successfully
02:41:45.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\John and Diana\Desktop\MBR.dat"
02:41:45.703 The log file has been saved successfully to "C:\Documents and Settings\John and Diana\Desktop\EMMASAUR.aswMBR.txt"


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-17 03:45:58
-----------------------------
03:45:58.410 OS Version: Windows 5.1.2600 Service Pack 3
03:45:58.410 Number of processors: 1 586 0x401
03:45:58.410 ComputerName: DIANASAUR UserName:
03:45:59.457 Initialize success
03:46:07.675 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-e
03:46:07.675 Disk 0 Vendor: ST3500320AS SD1A Size: 476940MB BusType: 3
03:46:09.675 Disk 0 MBR read successfully
03:46:09.675 Disk 0 MBR scan
03:46:09.675 Disk 0 Windows XP default MBR code
03:46:11.675 Disk 0 scanning sectors +976752000
03:46:11.691 Disk 0 scanning C:\WINDOWS\system32\drivers
03:46:14.785 Service scanning
03:46:15.660 Disk 0 trace - called modules:
03:46:15.660 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
03:46:15.660 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acceab8]
03:46:15.660 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-e[0x8ac89d98]
03:46:15.660 Scan finished successfully
03:48:21.800 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\John & Diana\Desktop\MBR.dat"
03:48:21.800 The log file has been saved successfully to "C:\Documents and Settings\John & Diana\Desktop\Dianasaur.aswMBR.txt"

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I'm not sure if it helps, but PC1 only has a SATA hard drive--no IDE devices at all.

Thanks again! :busy:

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 17 June 2011 - 04:35 PM

I would like to see the other seven, dianasaur. Those two are clean and that's fine but the MBR rootkit that I'm suspecting actually hides the recoded MBR from the scanner, which makes things a little more tricky.

Do you still have the RootRepeal logs showing the original rootkit detection? I would like to see one of those too.
Posted Image
m0le is a proud member of UNITE

#7 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 18 June 2011 - 02:44 PM

Hi mole,

Here are the aswMBR scans for the rest of the local machines, and older RootRepeal and MBR logs from
two on-site machines scanned a few weeks ago.

I noticed in the aswMBR scans that the hard drive controllers are always IDE devices, even
though most of the drives scanned have the SATA interface. Is the IDE controller used for both interfaces?
I'm curious because one of the recurring symptoms in this is a failure from within Linux or DOS to determine
file & file system properties on the drives.

Thanks again!




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC3
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-18 02:07:28
-----------------------------
02:07:28.687 OS Version: Windows 5.1.2600 Service Pack 3
02:07:28.687 Number of processors: 1 586 0x209
02:07:28.687 ComputerName: USER-80F25D8244 UserName: diana
02:07:29.781 Initialize success
02:07:43.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
02:07:43.234 Disk 0 Vendor: WDC_WD400BB-75DEA0 05.03E05 Size: 38146MB BusType: 3
02:07:45.250 Disk 0 MBR read successfully
02:07:45.250 Disk 0 MBR scan
02:07:45.250 Disk 0 Windows XP default MBR code
02:07:47.250 Disk 0 scanning sectors +78108030
02:07:47.328 Disk 0 scanning C:\WINDOWS\system32\drivers
02:07:53.968 Service scanning
02:07:55.843 Disk 0 trace - called modules:
02:07:55.890 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
02:07:55.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86362ab8]
02:07:55.890 3 CLASSPNP.SYS[f74d7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86381b00]
02:07:55.890 Scan finished successfully
02:09:24.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\diana\Desktop\MBR.dat"
02:09:24.187 The log file has been saved successfully to "C:\Documents and Settings\diana\Desktop\dianadell2.aswMBR.txt"





@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-18 05:41:28
-----------------------------
05:41:28.047 OS Version: Windows 5.1.2600 Service Pack 3
05:41:28.047 Number of processors: 2 586 0xF06
05:41:28.047 ComputerName: PATTIECAKE UserName: pattie
05:41:28.859 Initialize success
05:41:37.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
05:41:37.109 Disk 0 Vendor: ST3160812AS 3.ADJ Size: 152587MB BusType: 3
05:41:39.125 Disk 0 MBR read successfully
05:41:39.125 Disk 0 MBR scan
05:41:39.125 Disk 0 Windows XP default MBR code
05:41:41.125 Disk 0 scanning sectors +312496380
05:41:41.141 Disk 0 scanning C:\WINDOWS\system32\drivers
05:41:45.031 Service scanning
05:41:45.922 Disk 0 trace - called modules:
05:41:45.922 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
05:41:45.922 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a735ab8]
05:41:45.922 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a774d98]
05:41:45.922 Scan finished successfully
05:42:02.438 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Pattie Hagen\Desktop\MBR.dat"
05:42:02.438 The log file has been saved successfully to "C:\Documents and Settings\Pattie Hagen\Desktop\aswMBR.txt"




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC5
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-17 22:57:49
-----------------------------
22:57:49.066 OS Version: Windows x64 6.1.7600
22:57:49.066 Number of processors: 8 586 0x1E05
22:57:49.066 ComputerName: PATTIE-PC UserName: pattie
22:57:51.522 Initialize success
22:58:13.624 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:58:13.628 Disk 0 Vendor: ST332041 CC46 Size: 305245MB BusType: 3
22:58:13.642 Disk 0 MBR read successfully
22:58:13.647 Disk 0 MBR scan
22:58:13.651 Disk 0 unknown MBR code
22:58:13.656 Service scanning
22:58:14.404 Disk 0 trace - called modules:
22:58:14.411 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
22:58:14.417 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004e81060]
22:58:14.423 3 CLASSPNP.SYS[fffff88000c0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b10050]
22:58:14.428 Scan finished successfully
22:59:15.947 Disk 0 MBR has been saved successfully to "C:\Users\pattie\Desktop\MBR.dat"
22:59:15.948 The log file has been saved successfully to "C:\Users\pattie\Desktop\PattyDesktop.aswMBR.txt"




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-17 22:43:58
-----------------------------
22:43:58.262 OS Version: Windows 5.1.2600 Service Pack 3
22:43:58.262 Number of processors: 1 586 0xD08
22:43:58.262 ComputerName: PATTIELAPTOP UserName: Pattie
22:43:59.559 Initialize success
22:44:17.356 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:44:17.356 Disk 0 Vendor: SAMSUNG_MP0804H UE200-16 Size: 76319MB BusType: 3
22:44:19.387 Disk 0 MBR read successfully
22:44:19.387 Disk 0 MBR scan
22:44:19.387 Disk 0 unknown MBR code
22:44:21.387 Disk 0 scanning sectors +156296385
22:44:21.496 Disk 0 scanning C:\WINDOWS\system32\drivers
22:44:27.356 Service scanning
22:44:29.731 Disk 0 trace - called modules:
22:44:29.746 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:44:29.746 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x871daab8]
22:44:29.746 3 CLASSPNP.SYS[f75dbfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x871ca970]
22:44:29.746 Scan finished successfully
22:45:30.106 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Pattie\Desktop\MBR.dat"
22:45:30.106 The log file has been saved successfully to "C:\Documents and Settings\Pattie\Desktop\JohnDell.aswMBR.txt"




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC7
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

(RootRepeal throws DeviceIoControl Errors on this laptop on startup and won't initialize)

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-18 09:43:54
-----------------------------
09:43:54.278 OS Version: Windows 6.1.7600
09:43:54.278 Number of processors: 2 586 0x1C0A
09:43:54.278 ComputerName: ACERATOPS UserName: diana
09:44:03.919 Initialize success
09:44:20.081 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
09:44:20.096 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
09:44:20.112 Disk 0 MBR read successfully
09:44:20.128 Disk 0 MBR scan
09:44:20.128 Disk 0 Windows XP default MBR code
09:44:20.143 Disk 0 scanning sectors +488392065
09:44:20.174 Disk 0 scanning C:\Windows\system32\drivers
09:44:51.156 Service scanning
09:44:52.326 Disk 0 trace - called modules:
09:44:52.388 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
09:44:52.404 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f1bac8]
09:44:52.420 3 CLASSPNP.SYS[87f7659e] -> nt!IofCallDriver -> [0x84177b90]
09:44:52.435 5 ACPI.sys[87cc43b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8454c028]
09:44:52.451 Scan finished successfully
09:45:29.938 Disk 0 MBR has been saved successfully to "C:\Users\diana\Desktop\MBR.dat"
09:45:29.969 The log file has been saved successfully to "C:\Users\diana\Desktop\aswMBR.txt"



RootRepeal Error Log:

10:24:35: DeviceIoControl Error! Error Code = 0x0
10:24:35: DeviceIoControl Error! Error Code = 0x0
10:24:35: DeviceIoControl Error! Error Code = 0x0
10:24:35: DeviceIoControl Error! Error Code = 0x0
10:24:35: DeviceIoControl Error! Error Code = 0x0
10:24:35: DeviceIoControl Error! Error Code = 0x0
10:24:35: Could not scan drive C (error 0xc0000024)
10:24:38: Could not get the name for PID 4.
10:24:38: Could not get the name for PID 300.
10:24:38: Could not get the name for PID 432.
10:24:38: Could not get the name for PID 488.
10:24:38: Could not get the name for PID 496.
10:24:38: Could not get the name for PID 548.
10:24:38: Could not get the name for PID 572.
10:24:38: Could not get the name for PID 584.
10:24:38: Could not get the name for PID 616.
10:24:38: Could not get the name for PID 704.
10:24:38: Could not get the name for PID 784.
10:24:38: Could not get the name for PID 880.
10:24:38: Could not get the name for PID 912.
10:24:38: Could not get the name for PID 948.
10:24:38: Could not get the name for PID 1080.
10:24:38: Could not get the name for PID 1160.
10:24:38: Could not get the name for PID 1388.
10:24:38: Could not get the name for PID 1416.
10:24:38: Could not get the name for PID 1532.
10:24:38: Could not get the name for PID 1564.
10:24:38: Could not get the name for PID 1668.
10:24:38: Could not get the name for PID 1944.
10:24:38: Could not get the name for PID 336.
10:24:38: Could not get the name for PID 2008.
10:24:38: Could not get the name for PID 2732.
10:24:38: Could not get the name for PID 2768.
10:24:38: Could not get the name for PID 2792.
10:24:38: Could not get the name for PID 2816.
10:24:38: Could not get the name for PID 3284.
10:24:38: Could not get the name for PID 3536.
10:24:38: Could not get the name for PID 3544.
10:24:38: Could not get the name for PID 3560.
10:24:38: Could not get the name for PID 3568.
10:24:38: Could not get the name for PID 3584.
10:24:38: Could not get the name for PID 3616.
10:24:38: Could not get the name for PID 3664.
10:24:38: Could not get the name for PID 3676.
10:24:38: Could not get the name for PID 3712.
10:24:38: Could not get the name for PID 3832.
10:24:38: Could not get the name for PID 3828.
10:24:38: Could not get the name for PID 3872.
10:24:38: Could not get the name for PID 3924.
10:24:38: Could not get the name for PID 2220.
10:24:38: Could not get the name for PID 2340.
10:24:38: Could not get the name for PID 1924.
10:24:38: Could not get the name for PID 2976.
10:24:38: Could not get the name for PID 944.
10:24:38: Could not get the name for PID 3216.
10:24:38: Could not get the name for PID 1296.
10:24:38: Could not get the name for PID 1884.
10:24:38: Could not get the name for PID 3692.
10:24:38: Could not get the name for PID 3952.
10:24:38: Could not get the name for PID 780.
10:24:38: Could not get the name for PID 3880.
10:24:38: Could not get the name for PID 3732.
10:24:38: Could not get the name for PID 3696.
10:24:38: Could not get the name for PID 2984.
10:24:38: Could not get the name for PID 3204.
10:24:38: DeviceIoControl Error! Error Code = 0xc0000024
10:24:38: DeviceIoControl Error! Error Code = 0xc0000024
10:25:20: Warning - the number of SSDT entries from the kernel and the number on-disk are different (0 and 401).
10:25:20: DeviceIoControl Error! Error Code = 0x0
10:25:20: WARNING: The SSDT in our driver has been faked (0x00000250)!
10:25:20: DeviceIoControl Error! Error Code = 0x0
10:25:21: Could not get loaded modules!
10:25:21: DeviceIoControl Error! Error Code = 0x0
10:25:21: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e4)
10:25:21: Could not read system registry! Please contact the author!
10:25:21: DeviceIoControl Error! Error Code = 0x0




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC8 (On-site Dell Vostro laptop RootRepeal log)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2011/05/08 12:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7B74000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5FE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB699F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: Volume F:\, Sector 2
Status: Sector mismatch

Path: Volume F:\, Sector 3
Status: Sector mismatch

Path: Volume F:\, Sector 4
Status: Sector mismatch

Path: Volume F:\, Sector 5
Status: Sector mismatch

Path: Volume F:\, Sector 6
Status: Sector mismatch

Path: Volume F:\, Sector 7
Status: Sector mismatch

Path: Volume F:\, Sector 8
Status: Sector mismatch

Path: Volume F:\, Sector 9
Status: Sector mismatch

Path: Volume F:\, Sector 10
Status: Sector mismatch

Path: Volume F:\, Sector 11
Status: Sector mismatch

Path: Volume F:\, Sector 12
Status: Sector mismatch

Path: Volume F:\, Sector 13
Status: Sector mismatch

Path: Volume F:\, Sector 14
Status: Sector mismatch

Path: Volume F:\, Sector 15
Status: Sector mismatch

Path: Volume F:\, Sector 16
Status: Sector mismatch

Path: Volume F:\, Sector 17
Status: Sector mismatch

Path: Volume F:\, Sector 18
Status: Sector mismatch

Path: Volume F:\, Sector 19
Status: Sector mismatch

Path: Volume F:\, Sector 20
Status: Sector mismatch

Path: Volume F:\, Sector 21
Status: Sector mismatch

Path: Volume F:\, Sector 22
Status: Sector mismatch

Path: Volume F:\, Sector 23
Status: Sector mismatch

Path: Volume F:\, Sector 24
Status: Sector mismatch

Path: Volume F:\, Sector 25
Status: Sector mismatch

Path: Volume F:\, Sector 26
Status: Sector mismatch

Path: Volume F:\, Sector 27
Status: Sector mismatch

Path: Volume F:\, Sector 28
Status: Sector mismatch

Path: Volume F:\, Sector 29
Status: Sector mismatch

Path: Volume F:\, Sector 30
Status: Sector mismatch

Path: Volume F:\, Sector 31
Status: Sector mismatch

Path: Volume F:\, Sector 32
Status: Sector mismatch

Path: Volume F:\, Sector 33
Status: Sector mismatch

Path: Volume F:\, Sector 34
Status: Sector mismatch

Path: Volume F:\, Sector 35
Status: Sector mismatch

Path: Volume F:\, Sector 36
Status: Sector mismatch

Path: Volume F:\, Sector 37
Status: Sector mismatch

Path: Volume F:\, Sector 38
Status: Sector mismatch

Path: Volume F:\, Sector 39
Status: Sector mismatch

Path: Volume F:\, Sector 40
Status: Sector mismatch

Path: Volume F:\, Sector 41
Status: Sector mismatch

Path: Volume F:\, Sector 42
Status: Sector mismatch

Path: Volume F:\, Sector 43
Status: Sector mismatch

Path: Volume F:\, Sector 44
Status: Sector mismatch

Path: Volume F:\, Sector 45
Status: Sector mismatch

Path: Volume F:\, Sector 46
Status: Sector mismatch

Path: Volume F:\, Sector 47
Status: Sector mismatch

Path: Volume F:\, Sector 48
Status: Sector mismatch

Path: Volume F:\, Sector 49
Status: Sector mismatch

Path: Volume F:\, Sector 50
Status: Sector mismatch

Path: Volume F:\, Sector 51
Status: Sector mismatch

Path: Volume F:\, Sector 52
Status: Sector mismatch

Path: Volume F:\, Sector 53
Status: Sector mismatch

Path: Volume F:\, Sector 54
Status: Sector mismatch

Path: Volume F:\, Sector 55
Status: Sector mismatch

Path: Volume F:\, Sector 56
Status: Sector mismatch

Path: Volume F:\, Sector 57
Status: Sector mismatch

Path: Volume F:\, Sector 58
Status: Sector mismatch

Path: Volume F:\, Sector 59
Status: Sector mismatch

Path: Volume F:\, Sector 60
Status: Sector mismatch

Path: Volume F:\, Sector 61
Status: Sector mismatch

Path: Volume F:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7219d6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7219cc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7219db

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7219e5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7219ea

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba7219b8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7219bd

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7219f4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7219ef

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7219e0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba7219c7

Stealth Objects
-------------------
Object: Hidden Handle [Index: 324, Type: File]
Process: Norman_Malware_Cleaner.exe (PID: 5904) Address: 0x893d1cd8 Size: -

==EOF==




@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC9 (On-site Dell Inspiron laptop logs)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

This is an older computer that had not been used as a work computer for several years; the owner brought it in
for me to connect to remotely so I could see his hard drives after his laptop (PC8) died last month.
By the time I realized that it couldn't be fixed remotely, both computers had RootRepeal logs like the
one above (forgot to get RR logs from this one, but they are likely still there if we need them). Here are
MBR & Norman scans for this one from the same time:


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS721010G9SA00 rev.MCZOC10H -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

Norman Malware Cleaner v2.00.05
Copyright 1990 - 2011, Norman ASA.

Norman Scanner Engine Version: 6.07.07
nvcbin.def: Version: 6.07.00, Date: 2011/05/07 06:21:51, Variants: 11887453
nvcmacro.def: Version: 6.07.00, Date: 2011/02/01 06:21:31, Variants: 20465

Operating System: Windows XP Service Pack 3

Switches: /iagree

Scan started: 2011/05/08 12:29:35

Running pre-scan cleanup routine...
Modified registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows --> AppInit_DLLs from '(null)' to ''
Deleted registry value: HKU\S-1-5-21-1487358297-2803705393-2931974190-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System --> DisableRegistryTools = 0x00000000
Deleted registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System --> DisableRegistryTools = 0x00000000
Deleted registry value: HKU\S-1-5-21-1487358297-2803705393-2931974190-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer --> NoDrives = 0x00000000
Deleted registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer --> NoDrives = 0x00000000

Scanning time: 1s

Scanning system for active rootkit activity...

Scanning time: 0s

Scanning running processes and process memory...

Number of objects found: 2048
Number of objects scanned: 2048
Number of objects not scanned: 0
Number of malicious memory objects found: 0
Scanning time: 50s

Running custom scan...
H:\Data2\LACERTE\06TAX\help\sca6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sccd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sccd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sccd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sccd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sccd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sco6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sco6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sct6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sct6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sdae.swf: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sdc6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sde6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sfl6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sfl6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sga6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\shi6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\shi6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sia6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sia6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sid6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sid6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sil6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sil6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sin6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sks6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sky6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sky6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sla6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sla6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sma6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sma6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smd6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sme6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smi6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smn6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smn6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smo6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smo6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sms6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sms6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\smt6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snc6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snc6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snd6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snd6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sne6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snh6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snj6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snj6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snm6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\snm6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sny6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sny6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\soh6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\soh6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sok6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sok6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sor6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sor6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\spa6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\spa6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\special.swf: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sri6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\ssc6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\ssc6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\stn6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\stn6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\stx6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\stx6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sus6hdi.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sus6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sus6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sut6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sut6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\sva6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\svt6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\svt6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\swi6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\swi6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\swv6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\system.swf: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\t6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\taxshare.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tfl6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tncd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tncd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tncd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tncd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tncd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tny6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\trblef.swf: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\trblret.swf: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tus6hdi.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tus6help.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tus6info.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tutmast.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\TutMast.chm.bin: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\tutorial.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\TUTORIAL.CHM.bin: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\txcd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\txcd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\txcd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.b06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.n06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.r06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\uscd2map.t06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\utcd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\utcd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\utcd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\utcd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\utcd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vacd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vacd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vacd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vacd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vacd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vtcd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vtcd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vtcd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vtcd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\vtcd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\w06op.chm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\W06OP.CHM.bin: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wicd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wicd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wicd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wicd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wicd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\workflow.swf: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wvcd2map.c06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wvcd2map.f06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wvcd2map.i06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wvcd2map.p06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\help\wvcd2map.s06: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\hhviewer.exe: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\htmlhelp.dll: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA1I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA1I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA1I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA1I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA2I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA2I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA2I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA2I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA3I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA3I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA3I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA3I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA4I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA4I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA4I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA4I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA5I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA5I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA5I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA5I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA6I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA6I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA6I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA6I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA7I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA7I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA7I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA7I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA8I05.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA8I05.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA8I06.DBF.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DATA8I06.MDX.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DDRIDI05.DAT.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.DDRIDI06.DAT.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\.wfIStamp.Dat.dcm: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA1I05.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA1I05.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA1I06.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA1I06.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA2I05.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA2I05.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA2I06.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA2I06.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA3I05.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA3I05.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA3I06.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA3I06.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA4I05.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA4I05.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA4I06.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA4I06.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA5I05.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA5I05.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA5I06.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA5I06.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA6I05.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA6I05.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA6I06.DBF: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA6I06.MDX: Error opening file for read: 0x00000003
H:\Data2\LACERTE\06TAX\IDATA\DATA7I05.DBF: Error opening file for read: 0x00000003

Number of files found: 116630
Number of archives unpacked: 4740
Number of objects found: 565187
Number of objects scanned: 563942
Number of objects not scanned: 202
Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 3h 4m 23s
Running post-scan cleanup routine...

Scanning time: 1s

Results:
Total number of files found: 116630
Total number of archives unpacked: 4740
Total number of objects found: 567235
Total number of objects scanned: 565990
Total number of objects not scanned: 202
Total number of malicious objects found: 5
Total number of malicious objects cleaned: 5
Total number of malicious files found: 0
Total number of malicious files cleaned: 0
Total scanning time: 3h 5m 16s


Norman Malware Cleaner v2.00.05
Copyright 1990 - 2011, Norman ASA.

Norman Scanner Engine Version: 6.07.07
nvcbin.def: Version: 6.07.00, Date: 2011/05/08 18:22:08, Variants: 11896449
nvcmacro.def: Version: 6.07.00, Date: 2011/02/01 06:21:31, Variants: 20465

Operating System: Windows XP Service Pack 3

Switches: /iagree

Scan started: 2011/05/09 03:47:43

Running pre-scan cleanup routine...
Modified registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows --> AppInit_DLLs from '(null)' to ''
Deleted registry value: HKU\S-1-5-21-1487358297-2803705393-2931974190-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System --> DisableRegistryTools = 0x00000000
Deleted registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System --> DisableRegistryTools = 0x00000000
Deleted registry value: HKU\S-1-5-21-1487358297-2803705393-2931974190-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer --> NoDrives = 0x00000000
Deleted registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer --> NoDrives = 0x00000000

Scanning time: 1s

Scanning system for active rootkit activity...

Scanning time: 0s

Scanning running processes and process memory...

Number of objects found: 1461
Number of objects scanned: 1461
Number of objects not scanned: 0
Number of malicious memory objects found: 0
Scanning time: 14m 59s

Running full scan...
C:\cmdcons\1394BUS.SY_: Error opening file for read: 0x00000005
C:\cmdcons\1394VDBG.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ABP480N5.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ACPI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ADPU160M.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ACPIEC.SY_: Error opening file for read: 0x00000005
C:\cmdcons\AHA154X.SY_: Error opening file for read: 0x00000005
C:\cmdcons\AIC78U2.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ALIIDE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\AIC78XX.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ASC.SY_: Error opening file for read: 0x00000005
C:\cmdcons\AMSINT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ASC3350P.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ASC3550.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ATAPI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\BOOTVID.DL_: Error opening file for read: 0x00000005
C:\cmdcons\CBIDF2K.SY_: Error opening file for read: 0x00000005
C:\cmdcons\CDFS.SY_: Error opening file for read: 0x00000005
C:\cmdcons\CD20XRNT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\CDROM.SY_: Error opening file for read: 0x00000005
C:\cmdcons\CLASSPNP.SY_: Error opening file for read: 0x00000005
C:\cmdcons\CMDIDE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\C_1252.NL_: Error opening file for read: 0x00000005
C:\cmdcons\CPQARRAY.SY_: Error opening file for read: 0x00000005
C:\cmdcons\C_437.NL_: Error opening file for read: 0x00000005
C:\cmdcons\DAC2W2K.SY_: Error opening file for read: 0x00000005
C:\cmdcons\DAC960NT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\DISK.SY_: Error opening file for read: 0x00000005
C:\cmdcons\DMBOOT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\DMIO.SY_: Error opening file for read: 0x00000005
C:\cmdcons\DMLOAD.SY_: Error opening file for read: 0x00000005
C:\cmdcons\DPTI2O.SY_: Error opening file for read: 0x00000005
C:\cmdcons\FASTFAT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\FDC.SY_: Error opening file for read: 0x00000005
C:\cmdcons\FLPYDISK.SY_: Error opening file for read: 0x00000005
C:\cmdcons\FTDISK.SY_: Error opening file for read: 0x00000005
C:\cmdcons\HAL.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HALAACPI.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HALACPI.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HALAPIC.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HALMACPI.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HALMPS.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HALSP.DL_: Error opening file for read: 0x00000005
C:\cmdcons\HIDCLASS.SY_: Error opening file for read: 0x00000005
C:\cmdcons\HIDUSB.SY_: Error opening file for read: 0x00000005
C:\cmdcons\HIDPARSE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\I2OMGMT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\HPN.SY_: Error opening file for read: 0x00000005
C:\cmdcons\I2OMP.SY_: Error opening file for read: 0x00000005
C:\cmdcons\I8042PRT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\INTELIDE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\INI910U.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ISAPNP.SY_: Error opening file for read: 0x00000005
C:\cmdcons\KBDCLASS.SY_: Error opening file for read: 0x00000005
C:\cmdcons\KBDHID.SY_: Error opening file for read: 0x00000005
C:\cmdcons\KD1394.DL_: Error opening file for read: 0x00000005
C:\cmdcons\KDCOM.DL_: Error opening file for read: 0x00000005
C:\cmdcons\LBRTFDC.SY_: Error opening file for read: 0x00000005
C:\cmdcons\L_INTL.NL_: Error opening file for read: 0x00000005
C:\cmdcons\MOUNTMGR.SY_: Error opening file for read: 0x00000005
C:\cmdcons\MRAID35X.SY_: Error opening file for read: 0x00000005
C:\cmdcons\NTKRNLMP.EX_: Error opening file for read: 0x00000005
C:\cmdcons\OHCI1394.SY_: Error opening file for read: 0x00000005
C:\cmdcons\OPRGHDLR.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PCI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PARTMGR.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PCIIDE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PCIIDEX.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PCMCIA.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PERC2.SY_: Error opening file for read: 0x00000005
C:\cmdcons\PERC2HIB.SY_: Error opening file for read: 0x00000005
C:\cmdcons\QL1080.SY_: Error opening file for read: 0x00000005
C:\cmdcons\QL12160.SY_: Error opening file for read: 0x00000005
C:\cmdcons\QL10WNT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\QL1240.SY_: Error opening file for read: 0x00000005
C:\cmdcons\QL1280.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SBP2PORT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\RAMDISK.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SCSIPORT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SERIAL.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SERENUM.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SETUPDD.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SFLOPPY.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SLIP.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SPARROW.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SPDDLANG.SY_: Error opening file for read: 0x00000005
C:\cmdcons\STREAMIP.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SYMC810.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SYMC8XX.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SYM_HI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\SYM_U3.SY_: Error opening file for read: 0x00000005
C:\cmdcons\TFFSPORT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\TOSIDE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\ULTRA.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBCCGP.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBD.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBEHCI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBHUB.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBOHCI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBPORT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBSTOR.SY_: Error opening file for read: 0x00000005
C:\cmdcons\USBUHCI.SY_: Error opening file for read: 0x00000005
C:\cmdcons\VGA.SY_: Error opening file for read: 0x00000005
C:\cmdcons\VGAOEM.FO_: Error opening file for read: 0x00000005
C:\cmdcons\VIAIDE.SY_: Error opening file for read: 0x00000005
C:\cmdcons\VIDEOPRT.SY_: Error opening file for read: 0x00000005
C:\cmdcons\WMILIB.SY_: Error opening file for read: 0x00000005
C:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\Drivers\pccard\2k\Option\Option 3.3.1.3 GTMAX3.6\NicCPApplet.zip: Error opening file for read: 0x00000005
C:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\Drivers\pccard\vista\32bit\Option\Option 3.3.1.3 GTMAX3.6\NicCPApplet.zip: Error opening file for read: 0x00000005
C:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\Drivers\pccard\xp\32bit\Option\Option 3.3.1.3 GTMAX3.6\NicCPApplet.zip: Error opening file for read: 0x00000005
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\avguard.tmp: Error opening file for read: 0x00000020
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG: Error opening file for read: 0x00000020
C:\Documents and Settings\LocalService\ntuser.dat: Error opening file for read: 0x00000020
C:\Documents and Settings\Lynnette\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\AcroRead.msi: Error opening file for read: 0x00000005
C:\Documents and Settings\Lynnette\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Data1.cab: Error opening file for read: 0x00000005
C:\Documents and Settings\Lynnette\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
C:\Documents and Settings\Lynnette\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG: Error opening file for read: 0x00000020
C:\Documents and Settings\Lynnette\Local Settings\temp\FD.tmp: Error opening file for read: 0x00000020
C:\Documents and Settings\Lynnette\NTUSER.DAT: Error opening file for read: 0x00000020
C:\Documents and Settings\Lynnette\ntuser.dat.LOG: Error opening file for read: 0x00000020
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG: Error opening file for read: 0x00000020
C:\Documents and Settings\NetworkService\NTUSER.DAT: Error opening file for read: 0x00000020
C:\Documents and Settings\NetworkService\ntuser.dat.LOG: Error opening file for read: 0x00000020
C:\Documents and Settings\steve\Application Data\Microsoft\Installer\{3AC275FB-658D-43DA-A04D-9B2E30E517B2}\1033.MST: Error opening file for read: 0x00000005
C:\Program Files\Avira\AntiVir Desktop\avwin.chm: Error opening file for read: 0x00000005
C:\Program Files\Avira\AntiVir Desktop\sweb.zip: Error opening file for read: 0x00000005
C:\Program Files\Intel\Wireless\Help\wassist.chm: Error opening file for read: 0x00000005
C:\Program Files\Intuit\QuickBooks 2007\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
C:\Program Files\Intuit\QuickBooks 2007\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
C:\Program Files\Intuit\QuickBooks 2008\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
C:\Program Files\Intuit\QuickBooks 2008\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000199.reg: File infected with REG/Small.A
Deleted file: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000199.reg
C:\WINDOWS\Installer\{EBE939ED-4612-45FD-A39E-77AC199C4273}\1033.MST: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\instance_Professional_32_1033.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_4.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_5.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_6.cab: Error opening file for read: 0x00000005
C:\WINDOWS\pchealth\helpctr\PackageStore\package_7.cab: Error opening file for read: 0x00000005
C:\WINDOWS\system32\CatRoot2\edb.log: Error opening file for read: 0x00000020
C:\WINDOWS\system32\CatRoot2\edbtmp.log: Error opening file for read: 0x00000020
C:\WINDOWS\system32\CatRoot2\tmp.edb: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\DEFAULT: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\default.LOG: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\SAM: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\SAM.LOG: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\SECURITY: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\SECURITY.LOG: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\SOFTWARE: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\software.LOG: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\SYSTEM: Error opening file for read: 0x00000020
C:\WINDOWS\system32\config\system.LOG: Error opening file for read: 0x00000020
C:\WINDOWS\temp\Perflib_Perfdata_730.dat: Error opening file for read: 0x00000020
D:\LACERTE\05tax\cor\nj\njflsrg.c05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\cor\nj\njoutput.c05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\exm\usinpg.r05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\exm\usoutput.r05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\exm\uspdtinp.r05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\exm\uswosi.r05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\help\rus5help.chm: Error opening file for read: 0x00000005
D:\LACERTE\05tax\sco\nj\njflsrg.s05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\sco\nj\njoutput.s05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\winops\usolsrg.u05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\winops\usopdt.u05: Error opening file for read: 0x00000005
D:\LACERTE\05tax\winops\usylsrg.u05: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2005\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2005\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2005 AE\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2005 AE\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2007\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2007\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2007 AE\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2007 AE\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2008\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks 2008\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks Enterprise Solutions 6.0\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks Enterprise Solutions 6.0\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\Components\PConfig\Data1.cab: Error opening file for read: 0x00000005
D:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\Components\PConfig\QuickBooks.msi: Error opening file for read: 0x00000005
G:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\Drivers\pccard\xp\32bit\Option\Option 3.3.1.3 GTMAX3.6\NicCPApplet.zip: Error opening file for read: 0x00000005
G:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\OptionZeroCD\32Bit\DriverInstaller_en.msi: Error opening file for read: 0x00000005
G:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\OptionZeroCD\32Bit\GlobeTrotterConnect_en1.cab: Error opening file for read: 0x00000005
G:\Documents and Settings\All Users\Application Data\AT&T\Communication Manager\OptionZeroCD\32Bit\m2.cab: Error opening file for read: 0x00000005
G:\Documents and Settings\Steve\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\1033.MST: Error opening file for read: 0x00000005
G:\Documents and Settings\Steve\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\AcroRead.msi: Error opening file for read: 0x00000005
G:\Documents and Settings\Steve\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Data1.cab: Error opening file for read: 0x00000005

Number of files found: 312556
Number of archives unpacked: 20409
Number of objects found: 2926182
Number of objects scanned: 2925316
Number of objects not scanned: 192
Number of malicious objects found: 1
Number of malicious objects cleaned: 1
Number of malicious files found: 1
Number of malicious files cleaned: 1
Scanning time: 1d 4h 56m 8s
Scan aborted by user

Results:
Total number of files found: 312556
Total number of archives unpacked: 20409
Total number of objects found: 2927643
Total number of objects scanned: 2926777

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 19 June 2011 - 06:31 AM

Is the IDE controller used for both interfaces?

No, the SATA controller must control the SATA HDD. From all that I have read about the tool, and the hundreds of logs that I have seen, it seems that it defaults to IDE regardless of the interface.

As PC8 seems to have been the machine that triggered the infection and PCs 1-7 seem clean, I would like to have PC8 and PC9 scanned with aswMBR to check their status since the RootRepeal scans.
Posted Image
m0le is a proud member of UNITE

#9 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 19 June 2011 - 01:12 PM

:busy: Hi mole,

Unfortunately, PC8 and PC9 are the only two that are not local to me right now--I included them so you could see the rootrepeal logs I mentioned in the initial post.

The awsMBR scans for PC5 and PC6 show unknown mbr code, and PC7 shows a default XP mbr code but is a Wndows 7 machine. Would these be worth investigating until I can get down to the main office? Also, is it possible to scan the servers remotely?

Thanks!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 19 June 2011 - 05:44 PM

I thought that might be the case.

Let's see if we can ID the MBR on PCs 5, 6 and 7.

Please download MBRCheck.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#11 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 19 June 2011 - 09:53 PM

Heego, mole :woot:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC5
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Precision T1500
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 154):
0x02C5B000 \SystemRoot\system32\ntoskrnl.exe
0x02C12000 \SystemRoot\system32\hal.dll
0x00BA0000 \SystemRoot\system32\kdcom.dll
0x00C36000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C7A000 \SystemRoot\system32\PSHED.dll
0x00C8E000 \SystemRoot\system32\CLFS.SYS
0x00CEC000 \SystemRoot\system32\CI.dll
0x00E25000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EC9000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00ED8000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00F2F000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00F38000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00F42000 \SystemRoot\system32\DRIVERS\pci.sys
0x00F75000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00F82000 \SystemRoot\System32\drivers\partmgr.sys
0x00F97000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x01042000 \SystemRoot\System32\drivers\volmgrx.sys
0x0109E000 \SystemRoot\System32\drivers\mountmgr.sys
0x0124C000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x01456000 \SystemRoot\system32\drivers\amdxata.sys
0x01461000 \SystemRoot\system32\drivers\fltmgr.sys
0x014AD000 \SystemRoot\system32\drivers\fileinfo.sys
0x014C1000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01613000 \SystemRoot\System32\Drivers\Ntfs.sys
0x014CD000 \SystemRoot\System32\Drivers\msrpc.sys
0x017B5000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0152B000 \SystemRoot\System32\Drivers\cng.sys
0x017CF000 \SystemRoot\System32\drivers\pcw.sys
0x017E0000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x010B8000 \SystemRoot\system32\drivers\ndis.sys
0x0159E000 \SystemRoot\system32\drivers\NETIO.SYS
0x01200000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01800000 \SystemRoot\System32\drivers\tcpip.sys
0x011AA000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x017EA000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x00FAC000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01600000 \SystemRoot\System32\Drivers\spldr.sys
0x01000000 \SystemRoot\System32\drivers\rdyboost.sys
0x0122B000 \SystemRoot\System32\Drivers\mup.sys
0x01608000 \SystemRoot\System32\drivers\hwpolicy.sys
0x00DAC000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x00E00000 \SystemRoot\system32\DRIVERS\disk.sys
0x00C00000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x04230000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0425A000 \SystemRoot\System32\Drivers\Null.SYS
0x04263000 \SystemRoot\System32\Drivers\Beep.SYS
0x0426A000 \SystemRoot\System32\drivers\vga.sys
0x04278000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x0429D000 \SystemRoot\System32\drivers\watchdog.sys
0x042AD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x042B6000 \SystemRoot\system32\drivers\rdpencdd.sys
0x042BF000 \SystemRoot\system32\drivers\rdprefmp.sys
0x042C8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x042D3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x042E4000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04302000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x0430F000 \SystemRoot\system32\drivers\afd.sys
0x04398000 \SystemRoot\System32\DRIVERS\netbt.sys
0x043DD000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04451000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04477000 \SystemRoot\system32\DRIVERS\tmlwf.sys
0x044AC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x044BB000 \SystemRoot\system32\DRIVERS\serial.sys
0x044D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x044F3000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0x04510000 \SystemRoot\system32\DRIVERS\termdd.sys
0x04524000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04575000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04581000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x0458C000 \SystemRoot\System32\drivers\discache.sys
0x04862000 \SystemRoot\system32\drivers\csc.sys
0x048E5000 \SystemRoot\System32\Drivers\dfsc.sys
0x04903000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04914000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0493A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x04ABF000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x050B8000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x051AC000 \SystemRoot\System32\drivers\dxgmms1.sys
0x05000000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x05011000 \SystemRoot\system32\drivers\usbehci.sys
0x05022000 \SystemRoot\system32\drivers\USBPORT.SYS
0x05078000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04A00000 \SystemRoot\system32\DRIVERS\k57nd60a.sys
0x0509C000 \SystemRoot\system32\DRIVERS\serenum.sys
0x050A8000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04A51000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04A67000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x051F2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04A8B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04FE1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x04950000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04971000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0498B000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x04996000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x049A5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x051FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x049B4000 \SystemRoot\system32\DRIVERS\ks.sys
0x04800000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0459B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04812000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05607000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x04400000 \SystemRoot\system32\drivers\portcls.sys
0x04827000 \SystemRoot\system32\drivers\drmk.sys
0x057EA000 \SystemRoot\system32\drivers\ksthunk.sys
0x057F0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04000000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x04849000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x000E0000 \SystemRoot\System32\win32k.sys
0x0443D000 \SystemRoot\System32\drivers\Dxapi.sys
0x0420A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x057FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x043E6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x00DE6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x049F7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x0123D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x00E16000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x020C8000 \SystemRoot\system32\DRIVERS\dc3d.sys
0x020DA000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0x020E3000 \SystemRoot\system32\DRIVERS\monitor.sys
0x005C0000 \SystemRoot\System32\TSDDD.dll
0x007B0000 \SystemRoot\System32\cdd.dll
0x020F1000 \SystemRoot\system32\drivers\luafv.sys
0x02114000 \??\c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys
0x02601000 \??\c:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys
0x02123000 \??\c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys
0x0217A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0218F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x02000000 \SystemRoot\system32\drivers\HTTP.sys
0x021A7000 \SystemRoot\system32\DRIVERS\bowser.sys
0x021C5000 \SystemRoot\System32\drivers\mpsdrv.sys
0x038E4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03911000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0395F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x03800000 \SystemRoot\system32\drivers\peauth.sys
0x038A6000 \SystemRoot\System32\Drivers\secdrv.SYS
0x038B1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x03982000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0462D000 \SystemRoot\system32\DRIVERS\tmwfp.sys
0x03994000 \SystemRoot\System32\DRIVERS\srv2.sys
0x054C3000 \SystemRoot\System32\DRIVERS\srv.sys
0x05558000 \SystemRoot\System32\drivers\rdpdr.sys
0x05586000 \SystemRoot\system32\drivers\tdtcp.sys
0x05591000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x055A0000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x05400000 \SystemRoot\System32\Drivers\fastfat.SYS
0x054A7000 \??\C:\Users\pattie\AppData\Local\Temp\aswMBR.sys
0x77A40000 \Windows\System32\ntdll.dll
0x477E0000 \Windows\System32\smss.exe
0xFFD60000 \Windows\System32\apisetschema.dll
0xFF540000 \Windows\System32\autochk.exe
0xFFD30000 \Windows\System32\sechost.dll
0xFFD20000 \Windows\System32\nsi.dll
0xFFCF0000 \Windows\System32\imm32.dll
0xFFCD0000 \Windows\System32\imagehlp.dll

Processes (total 55):
0 System Idle Process
4 System
376 C:\Windows\System32\smss.exe
496 csrss.exe
556 C:\Windows\System32\wininit.exe
584 csrss.exe
632 C:\Windows\System32\services.exe
648 C:\Windows\System32\lsass.exe
656 C:\Windows\System32\lsm.exe
716 C:\Windows\System32\winlogon.exe
796 C:\Windows\System32\svchost.exe
912 C:\Windows\System32\svchost.exe
972 C:\Windows\System32\atiesrxx.exe
160 C:\Windows\System32\svchost.exe
504 C:\Windows\System32\svchost.exe
588 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1444 C:\Windows\System32\svchost.exe
1564 C:\Windows\System32\spoolsv.exe
1592 C:\Windows\System32\svchost.exe
1696 C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
1720 C:\Program Files\Broadcom\BPowMon\BPowMon.exe
1780 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Ntrtscan.exe
1908 svchost.exe
1308 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe
1740 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmListen.exe
1904 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
1992 C:\Windows\System32\conhost.exe
2164 C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
2480 C:\Windows\System32\svchost.exe
2840 C:\Windows\System32\atieclxx.exe
3064 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmPfw.exe
2724 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
3052 C:\Windows\System32\conhost.exe
3732 C:\Windows\System32\svchost.exe
3760 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
3988 C:\Program Files\Windows Media Player\wmpnetwk.exe
3104 C:\Windows\System32\SearchIndexer.exe
836 C:\Windows\System32\taskhost.exe
2896 C:\Windows\System32\dwm.exe
2532 C:\Windows\explorer.exe
1116 C:\Program Files (x86)\Trend Micro\Client Server Security Agent\PccNtMon.exe
1204 C:\Windows\twain_32\Fjscan32\FjtwSetup.exe
1328 C:\Windows\twain_32\Fjscan32\SOP\FtLnSOP.exe
1936 C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe
4248 C:\Program Files (x86)\Internet Explorer\iexplore.exe
2136 C:\Program Files (x86)\Internet Explorer\iexplore.exe
2000 C:\Program Files (x86)\Internet Explorer\iexplore.exe
4780 C:\Windows\System32\SearchProtocolHost.exe
4528 C:\Windows\System32\SearchFilterHost.exe
3348 C:\Windows\System32\audiodg.exe
2184 dllhost.exe
4704 dllhost.exe
3428 C:\Users\pattie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0BWVWXON\MBRCheck.exe
1212 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`31600000 (NTFS)

PhysicalDrive0 Model Number: ST3320418AS, Rev: CC46

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


Done!


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7A9B000 \WINDOWS\system32\KDCOM.DLL
0xF79AB000 \WINDOWS\system32\BOOTVID.dll
0xF746C000 ACPI.sys
0xF7A9D000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF745B000 pci.sys
0xF759B000 isapnp.sys
0xF79AF000 compbatt.sys
0xF79B3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B63000 pciide.sys
0xF781B000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A9F000 intelide.sys
0xF743D000 pcmcia.sys
0xF75AB000 MountMgr.sys
0xF741E000 ftdisk.sys
0xF7823000 PartMgr.sys
0xF75BB000 VolSnap.sys
0xF7406000 atapi.sys
0xF75CB000 disk.sys
0xF75DB000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73E6000 fltmgr.sys
0xF73D4000 sr.sys
0xF75EB000 PxHelp20.sys
0xF73BD000 KSecDD.sys
0xF7330000 Ntfs.sys
0xF7303000 NDIS.sys
0xF75FB000 ohci1394.sys
0xF760B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF72E9000 Mup.sys
0xF76CB000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF773B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7A43000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7180000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF716C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF788B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7148000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7893000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF775B000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF7134000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF6F18000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF6ED5000 \SystemRoot\system32\drivers\STAC97.sys
0xF6EB1000 \SystemRoot\system32\drivers\portcls.sys
0xF776B000 \SystemRoot\system32\drivers\drmk.sys
0xF6E8E000 \SystemRoot\system32\drivers\ks.sys
0xF6E5D000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6D5E000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6CB6000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF789B000 \SystemRoot\System32\Drivers\Modem.SYS
0xF777B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78A3000 \SystemRoot\system32\DRIVERS\point32.sys
0xF78AB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF78B3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF778B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF779B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77AB000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7C2C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7AA7000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF77BB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A53000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6C9F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77CB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77DB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78BB000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6C8E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77EB000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78C3000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78CB000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78D3000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xF77FB000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AA9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B90000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A5B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78DB000 \SystemRoot\system32\DRIVERS\omci.sys
0xF780B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF766B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AB3000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF72B4000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7AC7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BE0000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AC9000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78FB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7903000 \SystemRoot\System32\drivers\vga.sys
0xF7ACB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7ACD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF790B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7913000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF72AC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEEAED000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEEAC5000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEEAA3000 \SystemRoot\System32\drivers\afd.sys
0xF768B000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF791B000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xEEA78000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEEA08000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76AB000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE9E2000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7AD1000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF7294000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xEE996000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF794B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF6B80000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76EB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7953000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xF76FB000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xEE91B000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF6B78000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF6B74000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF795B000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xEE903000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AD9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEEB38000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7963000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BBC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04C000 \SystemRoot\System32\ati2cqag.dll
0xBF088000 \SystemRoot\System32\ati3duag.dll
0xBF2AF000 \SystemRoot\System32\ativvaxx.dll
0xBF325000 \SystemRoot\System32\ATMFD.DLL
0xED7AE000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF7983000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xED6A8000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF769B000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xED7E3000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xED64F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xED629000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF76BB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF76DB000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF6C1E000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xED6C6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xED44D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xECEE4000 \SystemRoot\system32\drivers\wdmaud.sys
0xED351000 \SystemRoot\system32\drivers\sysaudio.sys
0xECBD3000 \SystemRoot\System32\Drivers\HTTP.sys
0xEC973000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED201000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xECCCC000 \??\C:\WINDOWS\system32\Drivers\PROCMON20.SYS
0xEC7C8000 \??\C:\DOCUME~1\Pattie\LOCALS~1\Temp\aswMBR.sys
0xEC171000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
400 C:\WINDOWS\system32\smss.exe
484 csrss.exe
508 C:\WINDOWS\system32\winlogon.exe
552 C:\WINDOWS\system32\services.exe
564 C:\WINDOWS\system32\lsass.exe
716 C:\WINDOWS\system32\svchost.exe
800 svchost.exe
832 C:\WINDOWS\system32\svchost.exe
968 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1376 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1488 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1540 svchost.exe
1956 C:\WINDOWS\system32\spoolsv.exe
1992 C:\Program Files\Avira\AntiVir Desktop\sched.exe
2036 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
312 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
424 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
756 C:\WINDOWS\system32\svchost.exe
908 wdfmgr.exe
1232 alg.exe
1836 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
1580 C:\WINDOWS\explorer.exe
2412 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
2908 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3032 svchost.exe
3048 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2948 C:\WINDOWS\system32\dllhost.exe
2236 msdtc.exe
2300 C:\Program Files\Java\jre6\bin\jqs.exe
2764 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2348 C:\Program Files\Internet Explorer\iexplore.exe
3640 C:\Program Files\Internet Explorer\iexplore.exe
1432 C:\Program Files\Internet Explorer\iexplore.exe
3704 C:\Documents and Settings\Pattie\Local Settings\Temporary Internet Files\Content.IE5\QLSL3Q1Y\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT)

PhysicalDrive0 Model Number: SAMSUNGMP0804H, Rev: UE200-16

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: E09C5BDAA01F4C38093A7799A72C54908FECE3C8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC7
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Starter Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Acer
System Manufacturer: Acer
System Product Name: AO532h
Logical Drives Mask: 0x00000004

Kernel Drivers (total 186):
0x81A0F000 \SystemRoot\system32\ntkrnlpa.exe
0x81E1F000 \SystemRoot\system32\halmacpi.dll
0x8182E000 \SystemRoot\system32\kdcom.dll
0x87A23000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x87A9B000 \SystemRoot\system32\PSHED.dll
0x87AAC000 \SystemRoot\system32\BOOTVID.dll
0x87AB4000 \SystemRoot\system32\CLFS.SYS
0x87AF6000 \SystemRoot\system32\CI.dll
0x87C20000 \SystemRoot\system32\drivers\Wdf01000.sys
0x87C91000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x87C9F000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x87CE7000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x87CF0000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x87CF8000 \SystemRoot\system32\DRIVERS\pci.sys
0x87D22000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x87D2D000 \SystemRoot\System32\drivers\partmgr.sys
0x87D3E000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x87D46000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x87D51000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x87D61000 \SystemRoot\System32\drivers\volmgrx.sys
0x87DAC000 \SystemRoot\System32\drivers\mountmgr.sys
0x87E0C000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x87EE6000 \SystemRoot\system32\DRIVERS\atapi.sys
0x87EEF000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x87F12000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x87F1B000 \SystemRoot\system32\drivers\fltmgr.sys
0x87F4F000 \SystemRoot\system32\drivers\fileinfo.sys
0x87F60000 \SystemRoot\System32\Drivers\PROCMON20.SYS
0x88035000 \SystemRoot\System32\Drivers\Ntfs.sys
0x88164000 \SystemRoot\System32\Drivers\msrpc.sys
0x8818F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x881A2000 \SystemRoot\System32\Drivers\cng.sys
0x88000000 \SystemRoot\System32\drivers\pcw.sys
0x8800E000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x88220000 \SystemRoot\system32\drivers\ndis.sys
0x882D7000 \SystemRoot\system32\drivers\NETIO.SYS
0x88315000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8833A000 \SystemRoot\system32\DRIVERS\wd.sys
0x88342000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x88381000 \SystemRoot\System32\Drivers\spldr.sys
0x88389000 \SystemRoot\System32\drivers\rdyboost.sys
0x883B6000 \SystemRoot\System32\Drivers\mup.sys
0x883C6000 \SystemRoot\System32\drivers\hwpolicy.sys
0x883CE000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x88200000 \SystemRoot\system32\DRIVERS\disk.sys
0x87F6C000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8B31F000 \SystemRoot\system32\DRIVERS\mwlPSDFilter.sys
0x8B327000 \SystemRoot\System32\Drivers\Null.SYS
0x8B32E000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B335000 \SystemRoot\System32\drivers\vga.sys
0x8B341000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B362000 \SystemRoot\System32\drivers\watchdog.sys
0x8B36F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B377000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B37F000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8B387000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B392000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8AA31000 \SystemRoot\System32\drivers\tcpip.sys
0x8AB7A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8ABAB000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8ABC2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B3A0000 \SystemRoot\system32\drivers\afd.sys
0x8ABCD000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8AA00000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8AA07000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8B200000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8B300000 \SystemRoot\system32\DRIVERS\netbios.sys
0x88017000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8B30E000 \SystemRoot\system32\DRIVERS\termdd.sys
0x87F91000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8AA26000 \SystemRoot\system32\drivers\nsiproxy.sys
0x87FD2000 \SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys
0x8802A000 \SystemRoot\system32\DRIVERS\mwlPSDNServ.sys
0x87FE4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x87FEE000 \SystemRoot\System32\drivers\discache.sys
0x87DC2000 \SystemRoot\System32\Drivers\dfsc.sys
0x87DDA000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x87BA1000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x87DE8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8BC33000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8C13C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x87BC2000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8BC00000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8BC1F000 \SystemRoot\system32\DRIVERS\L1C62x86.sys
0x8C604000 \SystemRoot\system32\DRIVERS\athr.sys
0x8C738000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x8C742000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8C74D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8C798000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8C7A7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8C7AB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8C7C3000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8C7CD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8C80B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8C842000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8C844000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8C851000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8C85A000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x8C867000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8C879000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8C891000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8C89C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8C8BE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8C8D6000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8C8ED000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C904000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C906000 \SystemRoot\system32\DRIVERS\ks.sys
0x8C93A000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C948000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C98C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8E222000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8E4F7000 \SystemRoot\system32\drivers\portcls.sys
0x8E526000 \SystemRoot\system32\drivers\drmk.sys
0x8E53F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E650000 \SystemRoot\System32\win32k.sys
0x8E54C000 \SystemRoot\System32\drivers\Dxapi.sys
0x8B211000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x8E556000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x8E567000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E59C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8E5AE000 \SystemRoot\system32\DRIVERS\monitor.sys
0x8E8B0000 \SystemRoot\System32\TSDDD.dll
0x8C99D000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8E8E0000 \SystemRoot\System32\cdd.dll
0x8E200000 \SystemRoot\system32\drivers\luafv.sys
0x8E5EF000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9141B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x91461000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x91471000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x91484000 \SystemRoot\system32\drivers\HTTP.sys
0x91509000 \SystemRoot\system32\DRIVERS\bowser.sys
0x91522000 \SystemRoot\System32\drivers\mpsdrv.sys
0x91534000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x91557000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x91592000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA3A37000 \SystemRoot\system32\drivers\peauth.sys
0xA3ACE000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA3AD8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA3AF9000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA3B06000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA3B55000 \SystemRoot\System32\DRIVERS\srv.sys
0xA3BA6000 \??\C:\Users\diana\AppData\Local\Temp\aswMBR.sys
0xA3A1F000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA3A28000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA3BB1000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA3BC4000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA3BCF000 \??\C:\Users\diana\AppData\Local\Temp\cpuz135\cpuz135_x32.sys
0x77BD0000 \Windows\System32\ntdll.dll
0x478C0000 \Windows\System32\smss.exe
0x77E10000 \Windows\System32\apisetschema.dll
0x00020000 \Windows\System32\autochk.exe
0x77D30000 \Windows\System32\msctf.dll
0x77B50000 \Windows\System32\comdlg32.dll
0x77B20000 \Windows\System32\imagehlp.dll
0x77AC0000 \Windows\System32\shlwapi.dll
0x77A10000 \Windows\System32\msvcrt.dll
0x77D20000 \Windows\System32\psapi.dll
0x77870000 \Windows\System32\setupapi.dll
0x777E0000 \Windows\System32\oleaut32.dll
0x777C0000 \Windows\System32\sechost.dll
0x77770000 \Windows\System32\Wldap32.dll
0x77630000 \Windows\System32\urlmon.dll
0x77580000 \Windows\System32\rpcrt4.dll
0x77540000 \Windows\System32\ws2_32.dll
0x77D10000 \Windows\System32\normaliz.dll
0x77340000 \Windows\System32\iertutil.dll
0x77330000 \Windows\System32\lpk.dll
0x772E0000 \Windows\System32\gdi32.dll
0x77240000 \Windows\System32\advapi32.dll
0x77230000 \Windows\System32\nsi.dll
0x77210000 \Windows\System32\imm32.dll
0x771B0000 \Windows\System32\difxapi.dll
0x77050000 \Windows\System32\ole32.dll
0x76F50000 \Windows\System32\wininet.dll
0x76300000 \Windows\System32\shell32.dll
0x76230000 \Windows\System32\user32.dll
0x761A0000 \Windows\System32\clbcatq.dll
0x76100000 \Windows\System32\usp10.dll
0x76020000 \Windows\System32\kernel32.dll
0x75FD0000 \Windows\System32\KernelBase.dll
0x75EB0000 \Windows\System32\crypt32.dll
0x75E90000 \Windows\System32\devobj.dll
0x75E00000 \Windows\System32\comctl32.dll
0x75DD0000 \Windows\System32\wintrust.dll
0x75DA0000 \Windows\System32\cfgmgr32.dll
0x75D90000 \Windows\System32\msasn1.dll

Processes (total 45):
0 System Idle Process
4 System
300 C:\Windows\System32\smss.exe
436 csrss.exe
480 C:\Windows\System32\wininit.exe
500 csrss.exe
552 C:\Windows\System32\services.exe
584 C:\Windows\System32\winlogon.exe
596 C:\Windows\System32\lsass.exe
604 C:\Windows\System32\lsm.exe
724 C:\Windows\System32\svchost.exe
800 C:\Windows\System32\svchost.exe
888 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1112 C:\Windows\System32\svchost.exe
1216 C:\Windows\System32\svchost.exe
1452 C:\Windows\System32\spoolsv.exe
1488 C:\Windows\System32\svchost.exe
1624 C:\Program Files\Launch Manager\dsiwmis.exe
1644 C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
1692 C:\Program Files\Acer\Acer VCM\RS_Service.exe
1744 C:\Windows\System32\svchost.exe
1784 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
356 C:\Windows\System32\taskhost.exe
1272 C:\Windows\System32\dwm.exe
1608 C:\Windows\explorer.exe
2176 C:\Windows\System32\svchost.exe
3776 C:\Program Files\CCleaner\CCleaner.exe
2464 C:\Windows\System32\SearchIndexer.exe
2260 C:\Windows\System32\igfxsrvc.exe
3892 C:\Users\diana\Desktop\siw.exe
7632 C:\Program Files\Microsoft Works\wksss.exe
7692 C:\Program Files\Microsoft Works\WkDStore.exe
8048 C:\Program Files\Internet Explorer\iexplore.exe
8108 C:\Program Files\Internet Explorer\iexplore.exe
7024 C:\Program Files\Internet Explorer\iexplore.exe
3644 C:\Windows\System32\audiodg.exe
6896 C:\Windows\System32\SearchFilterHost.exe
7316 C:\Windows\System32\SearchProtocolHost.exe
1172 dllhost.exe
3660 dllhost.exe
8024 C:\Users\diana\Desktop\MBRCheck.exe
7404 C:\Windows\System32\conhost.exe
8180 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500BEVT-22ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 20 June 2011 - 02:01 PM

PCs 5 and 7 check out but 6 needs more investigation.

I'd like to check to make sure.

  • Please download MBRBackup to your Desktop.
  • Double-click or Right-click on MBRBackup.exe and select Run as Administrator to launch the program.
  • Click on SaveMBR... (top left corner) and save the backup file to your Desktop. It will have a name similar to MBR_2010-11-10.bin were the numbers correspond to the date the backup was made.
  • Save this file to the desktop >> click on Exit.
  • Now Zip this file up and post as an attachment in your next reply please.

What sort of time frame are we looking at on the aswMBR scans on the remote machines?
Posted Image
m0le is a proud member of UNITE

#13 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 22 June 2011 - 12:55 AM

:busy: Okay, mole, the MBR backup is attached. Thanks!

PC8 just got replaced, so I might be able to have it sent up to me this week. If not, I think I can make it down there next week.

I still can't make sense of any of the boot logs or hard drive scans for the local machines that we've cleared so far, though. I'm in over my head and out of clean machines to make comparisons with. I tried rebuilding one again two days ago, after wiping the drive with both HDAT and Active@ and even clearing the CMOS, but the weirdness persists. Are there any other tests we can run on the machines up here?

Thanks for all your help :inlove:

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 22 June 2011 - 05:40 PM

The MBR checks out. So far, we only have a malware flag on PC8 and I'm not sure what you mean when you say you replaced that machine? If it's been completely removed and a new machine has been installed then we need an aswMBR scan for that machine. If not then we are going to run a couple of scans when you have access to it.

Try running the following program on an accessible PC which you suspect is infected and post the log.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 dianasaur

dianasaur
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wofford Heights, California
  • Local time:04:49 AM

Posted 24 June 2011 - 12:35 PM

:busy: Yes, PC8 has been completely replaced; one of its hard drives (the system drive, of course) died while we were trying to repair it remotely. We purchased two new drives and rebuilt the OS, but it decrapitated again within a couple of weeks so he decided it was time to order a new one.

I ran ComboFix on PC5 and PC6 and the logs are posted below. Both machines were rebooted by ComboFix during the scan, and PC5 had to be rebooted again after the scan to regain access to applications (error message: "Illegal operation attempted on a registry key that has been marked for deletion").

As for the machines that have so far come up squeaky clean in our scan logs, I think the logs themselves are a kind of digital lip service. On all the networked machines, I'm still seeing the same mystery files in the boot logs generated by Procmon. I will include part of a boot log for PC5 (taken last night) in a separate reply (it's really long). In my original post I had asked if the procmon results that I thought weird were actually normal. Since then, I've been running boot-up scans with procmon nearly every day on as many machines as I could, and am now certain that what I'm seeing can't possibly be normal (though I'm still hoping that someone here can convince me otherwise :crazy: ). The log shows files referenced during boot-up that can't be seen from within Windows, and is far from complete (this particular boot log had over 62 million entries, from which Procmon generated a sublist of Files By Folder that I could visually compare with files in the Windows directories).



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC5 - Combofix
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

ComboFix 11-06-23.03 - pattie 06/23/2011 23:46:03.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4055.2911 [GMT -7:00]
Running from: c:\users\pattie\Desktop\cimfox.exe
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-24 06:45 . 2011-06-24 06:45 -------- d-----w- C:\32788R22FWJFW
2011-06-22 06:38 . 2011-06-22 06:38 -------- d-----w- c:\windows\system32\SPReview
2011-06-22 06:37 . 2011-06-22 06:37 -------- d-----w- c:\windows\system32\EventProviders
2011-06-22 06:28 . 2011-06-22 06:28 -------- d-----w- c:\windows\fjmini
2011-06-22 04:13 . 2011-06-22 04:13 59784 ---ha-w- c:\windows\system32\drivers\PROCMON20.SYS
2011-06-20 22:20 . 2010-11-20 13:27 223232 ----a-w- c:\windows\system32\wmpsrcwp.dll
2011-06-20 22:18 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-06-20 22:18 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-06-20 22:18 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-06-20 22:18 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-06-20 22:18 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-06-20 22:17 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-06-20 22:17 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-06-17 02:41 . 2011-06-17 02:41 -------- d-----w- c:\users\pattie\AppData\Roaming\PeaZip
2011-06-17 02:39 . 2011-06-17 02:39 -------- d-----w- c:\program files\PeaZip
2011-06-16 13:47 . 2011-04-25 05:33 1923968 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-16 13:47 . 2011-04-25 02:34 499200 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-16 13:47 . 2010-11-20 13:33 288640 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2011-06-16 13:46 . 2011-04-27 02:40 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-16 13:46 . 2011-04-27 02:39 289280 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-16 13:46 . 2011-04-27 02:39 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-16 13:42 . 2011-05-28 03:06 3135488 ----a-w- c:\windows\system32\win32k.sys
2011-06-16 13:42 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-16 13:42 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-06-16 13:42 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-06-16 13:42 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-06-16 13:42 . 2011-04-29 03:06 467456 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-16 13:42 . 2011-04-29 03:05 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-16 13:42 . 2011-04-29 03:05 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-16 13:42 . 2011-02-25 06:22 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-16 13:42 . 2011-02-25 05:34 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-16 13:42 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-16 13:42 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-06-16 06:21 . 2011-06-16 06:21 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 20:34 . 2011-06-14 20:42 -------- d-----w- c:\users\pattie\AppData\Local\Microsoft Games
2011-06-14 20:33 . 2011-06-14 20:33 -------- d-----w- c:\program files\Microsoft Games
2011-05-25 09:27 . 2011-04-22 22:15 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-22 06:47 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-06-22 06:47 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-05-16 07:54 . 2011-05-16 07:54 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-16 07:54 . 2011-05-16 07:54 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-16 07:54 . 2011-05-16 07:54 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-05-16 07:54 . 2011-05-16 07:54 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-05-16 07:54 . 2011-05-16 07:54 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-05-16 07:54 . 2011-05-16 07:54 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-05-16 07:54 . 2011-05-16 07:54 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-05-16 07:54 . 2011-05-16 07:54 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-05-16 07:54 . 2011-05-16 07:54 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-05-16 07:54 . 2011-05-16 07:54 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-05-16 07:54 . 2011-05-16 07:54 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-05-16 07:54 . 2011-05-16 07:54 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-05-16 07:54 . 2011-05-16 07:54 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-16 07:54 . 2011-05-16 07:54 448512 ----a-w- c:\windows\system32\html.iec
2011-05-16 07:54 . 2011-05-16 07:54 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-05-16 07:54 . 2011-05-16 07:54 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-05-16 07:54 . 2011-05-16 07:54 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-05-16 07:54 . 2011-05-16 07:54 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-16 07:54 . 2011-05-16 07:54 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-05-16 07:54 . 2011-05-16 07:54 222208 ----a-w- c:\windows\system32\msls31.dll
2011-05-16 07:54 . 2011-05-16 07:54 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-16 07:54 . 2011-05-16 07:54 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-05-16 07:54 . 2011-05-16 07:54 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-05-16 07:54 . 2011-05-16 07:54 160256 ----a-w- c:\windows\system32\wextract.exe
2011-05-16 07:54 . 2011-05-16 07:54 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-05-16 07:54 . 2011-05-16 07:54 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-05-16 07:54 . 2011-05-16 07:54 1492992 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-16 07:54 . 2011-05-16 07:54 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-05-16 07:54 . 2011-05-16 07:54 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-05-16 07:54 . 2011-05-16 07:54 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-05-16 07:54 . 2011-05-16 07:54 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-16 07:54 . 2011-05-16 07:54 12288 ----a-w- c:\windows\system32\mshta.exe
2011-05-16 07:54 . 2011-05-16 07:54 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-05-16 07:54 . 2011-05-16 07:54 114176 ----a-w- c:\windows\system32\admparse.dll
2011-05-16 07:54 . 2011-05-16 07:54 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-05-16 07:54 . 2011-05-16 07:54 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-16 07:54 . 2011-05-16 07:54 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-05-16 07:54 . 2011-05-16 07:54 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-04-24 23:24 . 2011-04-24 23:24 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-20 16:57 . 2011-04-20 16:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-04-20 16:57 . 2011-04-20 16:57 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-04-20 16:57 . 2011-04-20 16:57 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-04-20 16:57 . 2011-04-20 16:57 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-09 07:02 . 2011-05-10 20:20 5562240 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:58 . 2011-05-17 08:56 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-04-09 06:02 . 2011-05-10 20:20 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:02 . 2011-05-10 20:20 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-17 08:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2010-06-25 1705296]
"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 212992]
"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 126976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2009-07-15 917768]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 117568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2010-07-05 45056]
S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2010-05-11 265744]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2010-05-11 42000]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [2009-07-15 595960]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 97.64.180.150 97.64.187.153 8.8.8.8
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
c:\program files (x86)\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
.
**************************************************************************
.
Completion time: 2011-06-23 23:53:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-24 06:53
.
Pre-Run: 235,102,842,880 bytes free
Post-Run: 234,906,157,056 bytes free
.
- - End Of File - - B1DB8B089E29E10B421700CBF206D937






@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC6 - Combofix
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


ComboFix 11-06-23.03 - Pattie 06/23/2011 23:27:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.600 [GMT -7:00]
Running from: c:\documents and settings\Pattie\Desktop\comfix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-24 06:18 . 2011-06-24 06:18 52360 ---ha-w- c:\windows\system32\drivers\PROCMON20.SYS
2011-06-22 07:29 . 2011-06-22 07:29 -------- d-----w- c:\documents and settings\Pattie\Application Data\Fujitsu
2011-06-22 07:23 . 2011-06-22 07:23 -------- d-----w- c:\program files\fjtwain
2011-06-22 07:23 . 2004-03-10 02:15 905216 ----a-w- c:\windows\system32\fjiplW7.dll
2011-06-22 07:23 . 2004-03-10 02:15 897024 ----a-w- c:\windows\system32\fjiplA6.dll
2011-06-22 07:23 . 2004-03-10 02:15 806912 ----a-w- c:\windows\system32\fjiplPX.dll
2011-06-22 07:23 . 2004-03-10 02:15 49152 ----a-w- c:\windows\system32\fjipl.dll
2011-06-22 07:23 . 2004-03-10 02:15 860160 ----a-w- c:\windows\system32\fjiplM6.dll
2011-06-22 07:23 . 2004-03-10 02:15 778240 ----a-w- c:\windows\system32\fjiplP6.dll
2011-06-22 06:49 . 2005-08-09 02:39 180224 ----a-w- c:\windows\system32\Fjscmcpl.dll
2011-06-22 06:48 . 2003-11-19 01:42 40960 ------w- c:\windows\UninstOP.exe
2011-06-18 05:42 . 2011-06-18 05:42 -------- d-----w- c:\program files\Common Files\Java
2011-06-18 05:42 . 2011-06-18 05:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 05:41 . 2011-06-18 05:41 -------- d-----w- c:\program files\Java
2011-05-28 15:14 . 2011-05-28 15:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2011-05-28 15:14 . 2011-05-28 15:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2011-05-28 15:14 . 2011-05-28 15:14 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-05-28 15:13 . 2011-05-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2011-05-28 15:13 . 2007-02-12 18:41 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2011-05-28 15:13 . 2007-02-12 18:40 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2011-05-28 13:05 . 2011-06-24 06:33 -------- d-----w- c:\windows\system32\CatRoot2
2011-05-25 07:04 . 2011-05-25 07:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-18 05:41 . 2010-04-28 03:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-27 04:55 . 2011-05-27 04:55 324894 ----a-w- C:\GBAuth-Installer-v112(1).zip
2011-05-14 14:53 . 2006-01-18 19:24 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-05-14 14:53 . 2006-01-18 19:22 58288 ----a-w- c:\windows\system32\rpcnet.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 21:33 155648 ----a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-12-04 02:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-02-21 18:17 970752 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-02-21 18:19 819200 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/27/2010 9:21 PM 136360]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/10/2011 6:10 AM 691696]
S4 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [3/31/2009 3:45 PM 197504]
S4 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 3:45 PM 190080]
S4 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [5/4/2009 4:57 PM 148992]
S4 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 4:57 PM 148096]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 97.64.180.150 97.64.187.153 8.8.8.8
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 23:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-06-23 23:36:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-24 06:36
.
Pre-Run: 56,066,891,776 bytes free
Post-Run: 55,995,105,280 bytes free
.
- - End Of File - - 5011930B5DC89B1546B65D0DBF8D46CC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users