Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why does bc hesitate to believe ppl are in infected?


  • This topic is locked This topic is locked
32 replies to this topic

#1 kistonw

kistonw

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 09:14 AM

I believe myself to have a serious hijacking. It started on Windows 7, but I bought a Windows 10 cuz apparently I had no viruses. Now my windows 10 is infected along with my windows 10 install disc. Still though, apparently no viruses. I see people on this forum with the same suspicions, the same problems, being told the same thing - no viruses. Are the mods sitting on such a high horse they won't admit when they just don't know? Do they think we are as dumb as rocks? Maybe logs and reports show nothing, but it doesn't mean people aren't getting infected in a way bleepingcomp isn't used too. The fact I can know for a FACT I'm Infected, then get told otherwise makes me think this forum is a joke. It's apparent to me that malware is maybe becoming a lil too advanced. Don't get me wrong, I appreciate the help given here. But it becomes worse making users have a false sense of security just because you can't find the problem as well. To say "oh, that's a very serious infection, those aren't common and you're probably seeing things" make me want to request help from a diff mod. I understand the replies I will get, if I saw someone post this id flame him. I just want to get the point across,

BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:11 AM

Posted 04 May 2016 - 09:35 AM

Where did the Windows 10 install disc come from?  Any DVD or DVD set directly from an OEM manufacturer or from Microsoft Prime cannot be infected.  Now, if you got an ISO from a 3rd party vendor or web site, and if that ISO was made into a DVD install [or usb install stick], and if that ISO was pre-loaded with "goodies" uncalled for, then it is indeed possible that such usb or dvd install media has infection[s].

Meanwhile, back to your computer's OS on its hard-drive -- what security programs informed of infection[s] within your Windows 7?  Your Windows 10?  Specifically, what infection[s] was/were reported?


Edited by RolandJS, 04 May 2016 - 09:39 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 09:38 AM

It came from Best Buy. To say it can't be infected makes me wanna laugh, but it's a usb

Edited by kistonw, 04 May 2016 - 09:38 AM.


#4 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 09:40 AM

It doesn't matter tbh. I won't go into all the details to be told I'm not infected again. I will ask for help elsewhere. Granted every time I posted for help I received instructions from the same useless mod.

#5 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:11 AM

Posted 04 May 2016 - 09:48 AM



It came from Best Buy. To say it can't be infected makes me wanna laugh, but it's a usb

Best Buy is a great place to buy from!  You purchased a USB[?] from a great source -- I purchased my DVD Windows 7 Pro upgrade from Fry's Electronics -- in that, we both did real well!

Now, back to my other question, what security program[s] indicated your computer has infection[s]?  What specifically is/are the infection[s]?  Based on what was reported - your path to cleaning will be easier to walk.

BTW, I'm a fellow citizen like you, neither an admin or a mod  :)


Edited by RolandJS, 04 May 2016 - 09:49 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 04 May 2016 - 09:52 AM

Sorry you didn't have a good experience here. I find it strange that you all of your Windows 7 PCs are infected and now a new Windows 10 PC is infected.

I have been doing this for a long time, and unless you are infected with a network worm, which should easily be spotted, it is doubtful that you are infected with some unknown super-infection that can infect all of your PCs like this.

Unfortunately, in your virus removal section topic you never went into details as to what was exactly wrong with your computer. I would be happy to help dig further, but its impossible to do this without a detailed list of what exactly is wrong.

For example, you posted that DNS settings were changed? What were they changed to? What told you they were changed? Have you checked your router to make sure its configured properly, as the computer typically gets is DNS settings from there.

You also stated:
 

over the passed year certain services have acted weird, but were windows services so it was very hard, especially with most ppl claiming its legit. id reformat, monitor the suspected service, and it would prompt me randomly when that service was modified, followed by abnormalities in my comp. never resolved. could be nothing, but today rpcs5, wininit, audiosrv, eventlog, wcmsvc, wrscvc, services, and lsass have opened ports, and are listening.


How have they been acting weird? What is prompting you that a service was modified? What abnormalties?

As for the services having open ports, that's 100% normal. My computer, and every computer I ever worked on, had similar ports opened. Just part of the Windows architecture.

#7 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 04 May 2016 - 10:02 AM

I'd say you really want to seek help elsewhere.  No matter what your experience has been, calling people a "useless mod" is not nice at all.  You have to keep in mind that we all sacrifice our time to help out for free too!



#8 mjd420nova

mjd420nova

  • Members
  • 1,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 04 May 2016 - 10:05 AM

Too many times I have seen this and have been on both sides of the issue.  Software is some pretty touchy stuff and doesn't like to have it's OS tweaked.  I have seen registry entries that even experienced techs couldn't get right after "adjustments" were made by the user.  NO CD/DVD can be infected unless it can from the mfgr that way, once burned it can't be changed.  USB sticks are another story.  Any media that can be read, modified and re-written is questionable.  Many infections lately have been the "flash" type and are best cleaned by factory reset of the CMOS/BIOS and boot to safe mode with no network to eradicate them.  NO known infected machine should be allowed access to the internet, disable the WIFI, remove the Ethernet cable, isolate it while cleaning.



#9 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 10:08 AM




It came from Best Buy. To say it can't be infected makes me wanna laugh, but it's a usb

Best Buy is a great place to buy from!  You purchased a USB[?] from a great source -- I purchased my DVD Windows 7 Pro upgrade from Fry's Electronics -- in that, we both did real well!
Now, back to my other question, what security program[s] indicated your computer has infection[s]?  What specifically is/are the infection[s]?  Based on what was reported - your path to cleaning will be easier to walk.
BTW, I'm a fellow citizen like you, neither an admin or a mod  :)

My usb is infected. No hard feelings, but please let's leave it at that.



I assure everyone, I understand I'm the douchebag for saying what I said. But I bought Windows 10 because I was so sick of dealing with my "uninfected" Windows 7. After buying Windows 10, and coming to the conclusion I was def still infected, I took a lot of time to make sure I didntt touch this pc so it can be helped here, and went into a lot of detail. After running through the mods instructions, which happened to be the same one who told me about Windows 7, he says "you're not infected, but I don't know what to do so go to Windows 10 support". Come the bleep on now.

#10 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 10:18 AM

Yes I tried to get a cd/dvd and couldn't find one. It's a Windows 10 USB. It's infected. It installs a infected Windows 10 by this point, every time. Windows update will make a seemingly clean pc into a haven of malwware. File repositories are corrupted. I believe a lot has to do with silent scripts, and powershellt. Regardless of what's been said and ignored In the past, I'm starting to have strong suspicions that this "removable disk e" that supposebly has no disk in it, is some kind of encrypted file repository or something. Can't get my internet on the to work so I can't answer all the posts accurately atm. I see the same logs everyone does, so all I can do is go by what I know isn't right.

It seems like when I turn on any pc, it starts to sync to something, like a hive. First indications were after clean installs, my comp wo.ould run flawlessly, for a day or two. After that day or two, my comp would force restart itself, and after that restart specifically, I noticed I would have slower internet connections across all programs. This pattern is something I lived with for months. I've probably reinstalled Windows LITERALLY close to 100 times. Fast pc until comp restarts by itself ---> start to lag ---> reinstall Windows. That was during Windows 7 and the beginning of Windows 10. Now, I try to install Windows 10 and EVERY time, it fails somewhere in the middle, restarts itself, and I end up with a Windows 10 that can't even load Windows update.

Before I forget. MANY MANY MANY times I've opened txt documents, which seemed to be logs, of remoate users. A lot of them point to www.w3.org << ---- unsure if safe

Edited by kistonw, 04 May 2016 - 10:20 AM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 04 May 2016 - 10:20 AM

I assure everyone, I understand I'm the douchebag for saying what I said. But I bought Windows 10 because I was so sick of dealing with my "uninfected" Windows 7. After buying Windows 10, and coming to the conclusion I was def still infected, I took a lot of time to make sure I didntt touch this pc so it can be helped here, and went into a lot of detail. After running through the mods instructions, which happened to be the same one who told me about Windows 7, he says "you're not infected, but I don't know what to do so go to Windows 10 support". Come the bleep on now.


Regardless of the delivery, I actually appreciate that you brought your concerns to us.

Still, though, I read through your entire topic and I still don't know 100% what is wrong. Some of things you are seeing are normal, but in order to help someone we need more details other than weird or abnormal. That does not really explain anything.

#12 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 10:23 AM

I assure everyone, I understand I'm the douchebag for saying what I said. But I bought Windows 10 because I was so sick of dealing with my "uninfected" Windows 7. After buying Windows 10, and coming to the conclusion I was def still infected, I took a lot of time to make sure I didntt touch this pc so it can be helped here, and went into a lot of detail. After running through the mods instructions, which happened to be the same one who told me about Windows 7, he says "you're not infected, but I don't know what to do so go to Windows 10 support". Come the bleep on now.

Regardless of the delivery, I actually appreciate that you brought your concerns to us.

Still, though, I read through your entire topic and I still don't know 100% what is wrong. Some of things you are seeing are normal, but in order to help someone we need more details other than weird or abnormal. That does not really explain anything.

I've read scripts found in my pc that went something like

Create elevated process -skipcheck
Run process/program as user
Change settings
Delete process

I guess the simplest thing to say right now is, I can't Windows update. I can't Windows install. If I do somehow manage to get my windows 10 install USB cleaned, my comp will be infected again by the time the first Windows update is finished

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 04 May 2016 - 10:31 AM

Yes I tried to get a cd/dvd and couldn't find one. It's a Windows 10 USB. It's infected.


Have you tried going to a friend's house that has a working computer and using the media creation tool to create a dvd of Windows 10?

https://www.microsoft.com/en-us/software-download/windows10

Windows update will make a seemingly clean pc into a haven of malwware. File repositories are corrupted.


I seriously doubt this is happening. First there are a lot of checksums in place to assure that a malicious update cant be installed.

What is this removable disk e? You are saying that if you open the Computer control panel, it shows an unknown removable disk called E:? How many drives do you have in your computer, what devices are hooked up via USB? Even something as simple as a plugged in charging phone may sometimes show as a removable disk.

If you go into disk manager (Right click on computer->select manage->click on disk management), is the E drive present? If you right click on it and go into properties what does it tell you?

If you go into task manager, and go to performance, what processes are using the most internet?

You can also install Network Monitor from Microsoft to see what exactly each process is sending over the network/Internet.

Before I forget. MANY MANY MANY times I've opened txt documents, which seemed to be logs, of remoate users. A lot of them point to www.w3.org << ---- unsure if safe


Post some of these logs. Many times what is innocent may appear malicious if you do not know what your looking at.

As I said, we would be happy to help, but without some due diligence on your end and concrete details, it is almost impossible to tell you what could be wrong, if anything.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 04 May 2016 - 10:32 AM

I guess the simplest thing to say right now is, I can't Windows update. I can't Windows install. If I do somehow manage to get my windows 10 install USB cleaned, my comp will be infected again by the time the first Windows update is finished


Is your time set correctly? Something as simple as the time being set wrong will cause updates to not install properly.

#15 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 May 2016 - 10:40 AM

I'm sorry for being vague man. If you told me what u wanted to see exactly i would have no problem showing you. i just got on my pc, im in windows xp though looking at my windows 10. does this indicate anything?

 

note im in windows xp scanning this and this pops up, so it might not be anything. but these hooks, are something i found atleast a year ago aswell, running roguek. in the time since then, these havnt shown up, until i recently downloaded hirens in safe mode and made a cd. But the same things i saw a year ago randomly showing again was worth mentioning i thought.

 

 

Operating System : Windows XP (5.1.2600) 32 bits version
Started in : Normal mode
User : SYSTEM [Administrator]
Started from : B:\Temp\HBCD\Opera\profile\temporary_downloads\RogueKiller.exe
Mode : Delete -- Date : 05/03/2016 07:43:39

¤¤¤ Processes : 1 ¤¤¤
[VT.Win32/Heur] keybtray.exe(1704) -- X:\I386\System32\keybtray.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 147 ¤¤¤
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\2310_00 (2310_00.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\272x_1x (272X_1X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\274x_3x (274X_3X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3124r5A (3124R5A.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3124r5A2 (3124R5A2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3132R5C (3132R5C.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3132R5C2 (3132R5C2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3132R5C3 (3132R5C3.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3132R5C4 (3132R5C4.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3wareDrv (3WAREDRV.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3WAREGSM (3WAREGSM.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3wDrv100 (3WDRV100.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\a320raid (A320RAID.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aac (AAC.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aacsas (AACSAS.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aar1210 (AAR1210.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aar81xx (AAR81XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\adp3132 (ADP3132.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\adp94xx (ADP94XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\adpu320 (ADPU320.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aec6210 (AEC6210.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aec6260 (AEC6260.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aec6280 (AEC6280.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aec67160 (AEC67160.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AEC671X (AEC671X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AEC6880 (AEC6880.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aec6897 (AEC6897.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aec68x5 (AEC68X5.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AHCI6XX (AHCI6XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AHCIX700 (AHCIX700.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AHCIX80X (AHCIX80X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AMDBUSDR (AMDBUSDR.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AMDIDE (AMDIDE.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\arcm_x86 (ARCM_X86.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asahxp32 (ASAHXP32.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASH1205 (ASH1205.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ATIIDE (ATIIDE.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDA1000 (CDA1000.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cercsr6 (CERCSR6.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cpqarry2 (CPQARRY2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cpqcissm (CPQCISSM.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dac2w2k (DAC2W2K.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\exfat (exfat.sys) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FAST2XXP (FAST2XXP.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FastSx (FASTSX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fasttrak (FASTTRAK.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FST376XP (FST376XP.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fttxr52P (FTTXR52P.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fttxr54P (FTTXR54P.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fttxr5_O (FTTXR5_O.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HpCISSm2 (HPCISSM2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hpt374 (HPT374.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hpt3xx (HPT3XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hptiop (HPTIOP.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hptmv (HPTMV.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hptmv6 (HPTMV6.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iaStor2 (IASTOR2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iaStor3 (IASTOR3.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IASTOR6 (IASTOR6.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IASTOR7 (IASTOR7.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ide376xp (IDE376XP.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\INIC162X (INIC162X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ipsraidn (IPSRAIDN.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iteatapi (ITEATAPI.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iteraid (ITERAID.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\JRAID (JRAID.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m5228 (M5228.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m5281 (M5281.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m5287 (M5287.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m5288 (M5288.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m5289 (M5289.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MegaIDE (MEGAIDE.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MegaINTL (MEGAINTL.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\megasas (MEGASAS.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MegaSR (MEGASR.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mv614x (MV614X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mv61xx (MV61XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MV61XXMM (MV61XXMM.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mv64xx (MV64XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MV64XXMM (MV64XXMM.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mv91xx (MV91XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mvSata (MVSATA.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MVXXMM (MVXXMM.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NFRD960X (NFRD960X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nusb3hub (nusb3hub.sys) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nusb3xhc (nusb3xhc.sys) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nvata (NVATA.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nvatabus (NVATABUS.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVATARD (NVATARD.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nvgts5 (NVGTS5.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVGTS6 (NVGTS6.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVGTS6R (NVGTS6R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVGTS7 (NVGTS7.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVGTS7R (NVGTS7R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVLEGACY (NVLEGACY.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nvraid (NVRAID.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nvrd325 (NVRD325.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NVRD327R (NVRD327R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Pnp649r (PNP649R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Pnp680 (PNP680.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Pnp680r (PNP680R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PRFSX4XP (PRFSX4XP.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ql2100 (QL2100.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ql2200 (QL2200.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\raidsrc (RAIDSRC.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ramdisk (ramdisk.sys) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr172x (RR172X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr174x (RR174X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr232x (RR232X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr2340 (RR2340.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr2644 (RR2644.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr2680 (RR2680.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr26xx (RR26XX.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr276x (RR276X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr62x (RR62X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rr64x (RR64X.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\S150sx8 (S150SX8.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SAS2XP86 (SAS2XP86.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\setupdd (setupdd.sys) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3112 (SI3112.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3112r (SI3112R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3114 (SI3114.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3114r (SI3114R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Si3114r5 (SI3114R5.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3124 (SI3124.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3124r (SI3124R.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3132B (SI3132B.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Si3132B2 (SI3132B2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Si3132B3 (SI3132B3.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Si3132B4 (SI3132B4.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SI3132B5 (SI3132B5.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Si3531 (SI3531.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SISIDE (SISIDE.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SiSRaid (SISRAID.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SiSRaid2 (SISRAID2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SiSRaid4 (SISRAID4.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sptrak (SPTRAK.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\symmpi (SYMMPI.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SYMMPIV (SYMMPIV.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UlSata (ULSATA.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ulsata2 (ULSATA2.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\viamraid (VIAMRAID.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\viapdsk (VIAPDSK.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vmscsi (VMSCSI.SYS) -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSTXWDC (VSTXWDC.SYS) -> Deleted
[PUM.StartMenu] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 70 (Driver: Loaded) ¤¤¤
[SSDT:Inl(Hook.SSDT)] ZwFlushWriteBuffer[81] : B:\I386\SYSTEM32\HALAACPI.DLL @ 0xffffffff80a1e6c2 (call dword [0x8080063c])
[ShwSSDT:Inl(Hook.Shadow)] NtGdiFONTOBJ_pxoGetXform[641] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8080da15 (call dword [0xbf98cb60])
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_CREATE_NAMED_PIPE[1] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_READ[3] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_WRITE[4] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_QUERY_INFORMATION[5] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SET_INFORMATION[6] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_QUERY_EA[7] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SET_EA[8] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_FLUSH_BUFFERS[9] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_QUERY_VOLUME_INFORMATION[10] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SET_VOLUME_INFORMATION[11] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_DIRECTORY_CONTROL[12] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_FILE_SYSTEM_CONTROL[13] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SHUTDOWN[16] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_LOCK_CONTROL[17] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_CLEANUP[18] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_CREATE_MAILSLOT[19] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_QUERY_SECURITY[20] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SET_SECURITY[21] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_DEVICE_CHANGE[24] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_QUERY_QUOTA[25] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\atapi - IRP_MJ_SET_QUOTA[26] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_CREATE[0] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff764dbb0
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_CREATE_NAMED_PIPE[1] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_CLOSE[2] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff764dbb0
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_READ[3] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff7647d1f
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_WRITE[4] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff7647d1f
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_QUERY_INFORMATION[5] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SET_INFORMATION[6] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_QUERY_EA[7] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SET_EA[8] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_FLUSH_BUFFERS[9] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff76482e2
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_QUERY_VOLUME_INFORMATION[10] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SET_VOLUME_INFORMATION[11] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_DIRECTORY_CONTROL[12] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_FILE_SYSTEM_CONTROL[13] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_DEVICE_CONTROL[14] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff76483bb
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff764bf28
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SHUTDOWN[16] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff76482e2
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_LOCK_CONTROL[17] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_CLEANUP[18] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_CREATE_MAILSLOT[19] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_QUERY_SECURITY[20] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SET_SECURITY[21] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_POWER[22] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff7649c82
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SYSTEM_CONTROL[23] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff764e99e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_DEVICE_CHANGE[24] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_QUERY_QUOTA[25] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_SET_QUOTA[26] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\disk - IRP_MJ_PNP[27] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff764dc93
[IRP:Addr(Hook.IRP)] \Driver\disk - DriverUnload[29] : B:\I386\SYSTEM32\DRIVERS\CLASSPNP.SYS @ 0xfffffffff764e4b4
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_CREATE_NAMED_PIPE[1] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_WRITE[4] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_QUERY_INFORMATION[5] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_SET_INFORMATION[6] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_QUERY_EA[7] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_SET_EA[8] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_QUERY_VOLUME_INFORMATION[10] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_SET_VOLUME_INFORMATION[11] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_DIRECTORY_CONTROL[12] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_FILE_SYSTEM_CONTROL[13] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_SHUTDOWN[16] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_LOCK_CONTROL[17] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_CREATE_MAILSLOT[19] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_QUERY_SECURITY[20] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_SET_SECURITY[21] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_DEVICE_CHANGE[24] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_QUERY_QUOTA[25] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e
[IRP:Addr(Hook.IRP)] \Driver\kbdclass - IRP_MJ_SET_QUOTA[26] : B:\I386\SYSTEM32\NTKRNLMP.EXE @ 0xffffffff8082387e

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] a44dd3e3a91b6331af623f3d65e38927
[BSP] bb2085df37a30a04b40ceb9233d1c6e1 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 953367 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] b43f4f3018cb4506acc3d589a5272300
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 15003 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

 

 

physical drive 2 , with the errors, could be the drive im reffering too, but atm its listed as D:.

 

This "removaeable disk" that seems to consistently pop up, only says "please insert a disk into drive" what drive? my cd drive has a cd in it, and its lsited as x. Scanners pickup the removable drive, but say things like "WARNING: CANNOT ACCESS DRIVE D:"

 

ejecting it, clicking it, nothing does anything to it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users