Results 1 to 3 of 3

Thread: Baffled - so much information

Thread Tools
- Show Printable Version
Display
- Linear Mode
- Switch to Hybrid Mode
- Switch to Threaded Mode

2008-05-06, 00:24 #1
scasbeer

View Profile

View Forum Posts
Junior Member

Join Date

May 2008

Posts

2
Baffled - so much information

I ran RootAlyzer because each time I boot my Windows Vista machine, Spybot catches these two attempts to modify the registry:

Category: session manager
value deleted
BootExecute

Catergory: session manager
value deleted
ExcludeFromKnownDIIs

I've accepted those changes twice and found that the next time I boot, my system fails completely - not even reading the boot record. I've successfully repaired the system from the original disk each time, but these changes are attempted at every boot.

So, I thought RootAlyzer might help find the problem. The first time I ran a deep scan, I got a tremendous amount of information and do not know where to begin to interpret it.

This leads to two questions:
1. Does anyone know what is happening when I try to boot and how do I fix it?
2. Can anyone help me interpret the following RootAlyzer log?

Thanks for any and all help!

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"No admin in ACL","C:\Windows\bthservsdp.dat"
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"No admin in ACL","C:\Windows\System32\fsquirt.exe"
File:"No admin in ACL","C:\Windows\System32\hal.dll"
File:"No admin in ACL","C:\Windows\System32\halacpi.dll"
File:"No admin in ACL","C:\Windows\System32\halmacpi.dll"
File:"No admin in ACL","C:\Windows\System32\hccoin.dll"
File:"No admin in ACL","C:\Windows\System32\hcrstco.dll"
File:"No admin in ACL","C:\Windows\System32\iscsilog.dll"
File:"No admin in ACL","C:\Windows\System32\SysFxUI.dll"
File:"No admin in ACL","C:\Windows\System32\WMALFXGFXDSP.dll"
File:"No admin in ACL","C:\Windows\System32\drivers\1394bus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\acpi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\atapi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\ataport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\battc.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthenum.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\bthport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\BTHUSB.SYS"
File:"No admin in ACL","C:\Windows\System32\drivers\cdrom.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\CmBatt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\compbatt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\disk.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\drmk.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\drmkaud.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hdaudbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\HdAudio.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidparse.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\hidusb.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\i8042prt.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\kbdclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\kbdhid.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\monitor.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mouclass.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mouhid.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\msisadrv.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\msiscsi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\mssmbios.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\ohci1394.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pciide.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\pciidex.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\portcls.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\rfcomm.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\sdbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\sermouse.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\termdd.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\umbus.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbccgp.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbd.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbehci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbhub.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\usbport.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\USBSTOR.SYS"
File:"No admin in ACL","C:\Windows\System32\drivers\usbuhci.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\vgapnp.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\volmgr.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\volsnap.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\wmiacpi.sys"
File:"No admin in ACL","C:\Windows\System32\drivers\UMDF\WpdFs.dll"
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"No admin in ACL","C:\Windows\inf\drvindex.dat"
File:"No admin in ACL","C:\Windows\inf\INFCACHE.1"
File:"No admin in ACL","C:\Windows\inf\infpub.dat"
File:"No admin in ACL","C:\Windows\inf\infstor.dat"
File:"No admin in ACL","C:\Windows\inf\infstrng.dat"
File:"Unknown ADS","C:\Users\Stephen\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\099F563E-00000001.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\Business Contact Manager\StartupService.ini"
File:"No admin in ACL","C:\ProgramData\Microsoft\Business Contact Manager\StartupService.ini"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\AntiSpywareProduct.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\AntiVirusProduct.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\BIOS.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Controller Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Cooling Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Desktop Rating.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Disk Settings.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\FirewallProduct.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Input Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Interactive Session Processes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Interactive Sessions.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Logged On Users.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Logical Disk Dirty Test.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Memory Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Motherboard Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Network Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\NTFS Performance.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\NtKernel.etl:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Operating System.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Performance Counter.blg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\PlugAndPlay Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Port Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Power Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Printing Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Processes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Processor.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\SMART Disk Check.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Startup Programs.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Startup Settings.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Storage Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\System Services.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\UAC Settings.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\User Accounts.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Video Classes.xml:SummaryInformation:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\Windows Update Settings.xml:SummaryInformation:$DATA"
Directory:"No admin in ACL","C:\System Volume Information"
Directory:"No admin in ACL","C:\Windows\System32\LogFiles\WMI\RtBackup"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet004\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet004\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","DcomLaunch"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\","RpcSs"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\","HotStart"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\","Svc"
Reply With Quote
2008-05-06, 14:32 #2
PepiMK

View Profile

View Forum Posts
Member of Team Spybot

Join Date

Oct 2005

Location

Planet Earth

Posts

3,601
Could you please do another scan with version 0.2? I made it available at the link in the version announcement thread. Among the things 0.2 improves are a lot of Vista special cases, which your list mostly seems to consist of.

Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
Reply With Quote
2008-05-06, 23:55 #3
scasbeer

View Profile

View Forum Posts
Junior Member

Join Date

May 2008

Posts

2
I reran with the suggested version and found a much more manageble results list. I am, however, at somewhat of a loss at what to do with it and if it indicates my orginal problem.

Any advice is greatly appreciated!

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DF7A7.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFBA50.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFD3D.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFD5D.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFE0B3.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFE70B.tmp"
File:"No admin in ACL","C:\Users\Stephen\AppData\Local\Temp\~DFEC4.tmp"
File:"Unknown ADS","C:\Users\Stephen\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\099F563E-00000001.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\81602.bpc"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\81610.bpc"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\Users\All Users\Microsoft\Business Contact Manager\StartupService.ini"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\81602.bpc"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\81610.bpc"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\ProgramData\Microsoft\Business Contact Manager\StartupService.ini"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\20080329-0001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\Users\All Users\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:B0A96209:$DATA"
Directory:"Unknown ADS","C:\ProgramData\TEMP:C05A8628:$DATA"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
Reply With Quote

Quick Navigation RootAlyzer Top

Site Areas
Settings
Private Messages
Subscriptions
Who's Online
Search Forums
Forums Home
Forums
General Safer Networking
1. Announcements
2. Tavern
  1. Word Games
Software
1. Spybot
2. RootAlyzer
  1. RootAlyzer download
General Malware

« Previous Thread | Next Thread »

Posting Permissions

You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off

All times are GMT +2. The time now is 22:23.

Copyright © 2000-2022 Safer-Networking Limited. All rights reserved.