PDA

View Full Version : Baffled - so much information



scasbeer
2008-05-06, 01:24
I ran RootAlyzer because each time I boot my Windows Vista machine, Spybot catches these two attempts to modify the registry:

Category: session manager
value deleted
BootExecute

Catergory: session manager
value deleted
ExcludeFromKnownDIIs

I've accepted those changes twice and found that the next time I boot, my system fails completely - not even reading the boot record. I've successfully repaired the system from the original disk each time, but these changes are attempted at every boot.

So, I thought RootAlyzer might help find the problem. The first time I ran a deep scan, I got a tremendous amount of information and do not know where to begin to interpret it.

This leads to two questions:
1. Does anyone know what is happening when I try to boot and how do I fix it?
2. Can anyone help me interpret the following RootAlyzer log?

Thanks for any and all help!


// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"No admin in ACL","C:\Windows\bthservsdp.dat"
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"No admin in ACL","C:\Windows\System32\fsquirt.exe"
File:"No admin in ACL","C:\Windows\System32\hal.dll"
File:"No admin in ACL","C:\Windows\System32\halacpi.dll"
File:"No admin in ACL","C:\Windows\System32\halmacpi.dll"
File:"No admin in ACL","C:\Windows\System32\hccoin.dll"
File:"No admin in ACL","C:\Windows\System32\hcrstco.dll"
File:"No admin in ACL","C:\Windows\System32\iscsilog.dll"
File:"No admin in ACL","C:\Windows\System32\SysFxUI.dll"
File:"No admin in ACL","C:\Windows\System32\WMALFXGFXDSP.dll"
File:"No admin in ACL","C:\Windows\System32\drivers\1394bus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\acpi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\atapi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\ataport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\battc.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthenum.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\BTHUSB.SYS"
File:"No admin in ACL","C:\Windows\System32\drivers\cdrom.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\CmBatt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\compbatt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\disk.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\drmk.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\drmkaud.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hdaudbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\HdAudio.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidparse.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidusb.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\i8042prt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\kbdclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\kbdhid.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\monitor.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mouclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mouhid.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\msisadrv.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\msiscsi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mssmbios.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\ohci1394.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pciide.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pciidex.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\portcls.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\rfcomm.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\sdbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\sermouse.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\termdd.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\umbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbccgp.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbd.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbehci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbhub.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\USBSTOR.SYS"
File:"No admin in ACL","C:\Windows\System32\drivers\usbuhci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\vgapnp.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\volmgr.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\volsnap.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\wmiacpi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\UMDF\WpdFs.dll"
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"No admin in ACL","C:\Windows\inf\drvindex.dat"
File:"No admin in ACL","C:\Windows\inf\INFCACHE.1"
File:"No admin in ACL","C:\Windows\inf\infpub.dat"
File:"No admin in ACL","C:\Windows\inf\infstor.dat"
File:"No admin in ACL","C:\Windows\inf\infstrng.dat"
File:"Unknown ADS","C:\Users\Stephen\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\099F563E-00000001.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\Business Contact Manager\StartupService.ini"
File:"No admin in ACL","C:\ProgramData\Microsoft\Business Contact Manager\StartupService.ini"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\AntiSpywareProduct.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\AntiVirusProduct.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\BIOS.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Controller Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Cooling Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Desktop Rating.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Disk Settings.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\FirewallProduct.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Input Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Interactive Session Processes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Interactive Sessions.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Logged On Users.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Logical Disk Dirty Test.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Memory Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Motherboard Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Network Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\NTFS Performance.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\NtKernel.etl:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Operating System.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Performance Counter.blg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\PlugAndPlay Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Port Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Power Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Printing Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Processes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Processor.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\SMART Disk Check.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Startup Programs.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Startup Settings.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Storage Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\System Services.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\UAC Settings.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\User Accounts.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Video Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Windows Update Settings.xml:SummaryInformation:$DATA"
Directory:"No admin in ACL","C:\System Volume Information"
Directory:"No admin in ACL","C:\Windows\System32\LogFiles\WMI\RtBackup"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet004\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet004\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\","HotStart"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\","Svc"

PepiMK
2008-05-06, 15:32
Could you please do another scan with version 0.2? I made it available at the link in the version announcement thread. Among the things 0.2 improves are a lot of Vista special cases, which your list mostly seems to consist of.

scasbeer
2008-05-07, 00:55
I reran with the suggested version and found a much more manageble results list. I am, however, at somewhat of a loss at what to do with it and if it indicates my orginal problem.

Any advice is greatly appreciated!

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DF7A7.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFBA50.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFD3D.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFD5D.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFE0B3.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFE70B.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFEC4.tmp"
File:"Unknown ADS","C:\Users\Stephen\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\099F563E-00000001.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\81602.bpc"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\81610.bpc"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\Users\All Users\Microsoft\Business Contact Manager\StartupService.ini"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\81602.bpc"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\81610.bpc"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\ProgramData\Microsoft\Business Contact Manager\StartupService.ini"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"