Adlice forum
General Category => Malware removal help => Topic started by: pdk3001 on January 16, 2015, 09:44:16 PM
-
The only discrepancy found with a current run of RogueKiller is a File checked marked in RED and tagged as Critical! Item is malware and should be removed.
C:\windows\System32\drivers\DgivEcp.sys
STATUS: found DETECTION: File.Forged NAME: DgivEcp.sys
Windows Explorer shows DgivEcp.sys 10/22/2007 02:55 System file 53KB
It is marked for deletion by default. However, when I run the delete the files STATUS changes to Error[32]
Can't find anything about this error and the file remains.
I am newbe on the learning curve. Needing assistance to determine if this is indeed malware and what should be done next.
THANKS
-
Hi pdk3001,
Welcome to Adlice.com Forum.
Could you please post RogueKiller's full report in your next reply ?
Regards.
-
Thanks for the reply.
In the report I did notice many (63) IAT/EAT hooks with unknown modules; orange.
RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : NetUser [Administrator]
Mode : Delete -- Date : 01/19/2015 12:10:10
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] DgivEcp.sys -- C:\Windows\System32\drivers\DgivEcp.sys -> ERROR [32]
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 63 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - PeekMessageW : Unknown @ 0x23c0000 (push dword 0x23c0000|ret )
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x71a0003c (jmp 0xfffffffffa3303d2|jmp dword near [0x719f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32.dll - SetUnhandledExceptionFilter : Unknown @ 0x71a4003c (push dword 0x71a30022|ret |jmp dword near [0x71a3001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetMessageA : Unknown @ 0x710e003c (push dword 0x710d0022|ret |jmp dword near [0x710d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetMessageW : Unknown @ 0x710a003c (push dword 0x71090022|ret |jmp dword near [0x7109001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - TranslateMessage : Unknown @ 0x716a003c (push dword 0x71690022|ret |jmp dword near [0x7169001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - PeekMessageW : Unknown @ 0x719c003c (push dword 0x719b0022|ret |jmp dword near [0x719b001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetClipboardData : Unknown @ 0x7170003c (push dword 0x716f0022|ret |jmp dword near [0x716f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - CreateWindowExW : c:\program files (x86)\trusteer\rapport\bin\rooksbas.dll @ 0x6a7c97e0 (jmp dword near [0x7195001e]|jmp 0x10|jmp 0xfffffffff8e697a0)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) GDI32.dll - BitBlt : Unknown @ 0x7182003c (push dword 0x71810022|ret |jmp dword near [0x7181001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WINTRUST.dll - WinVerifyTrust : Unknown @ 0x7122003c (push dword 0x71210022|ret |jmp dword near [0x7121001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32.dll - QueueUserWorkItem : Unknown @ 0x7106003c (push dword 0x71050022|ret |jmp dword near [0x7105001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - RegisterClassA : Unknown @ 0x718a003c (push dword 0x71890022|ret |jmp dword near [0x7189001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - DdeInitializeW : Unknown @ 0x7174003c (push dword 0x71730022|ret |jmp dword near [0x7173001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WS2_32.dll - getaddrinfo : Unknown @ 0x7113003c (jmp 0xfffffffffba1bd8c|jmp dword near [0x7112001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetGetCookieExW : Unknown @ 0x713a003c (push dword 0x71390022|ret |jmp dword near [0x7139001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectW : Unknown @ 0x7142003c (push dword 0x71410022|ret |jmp dword near [0x7141001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenW : Unknown @ 0x7132003c (push dword 0x71310022|ret |jmp dword near [0x7131001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x712a003c (push dword 0x71290022|ret |jmp dword near [0x7129001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x712e003c (push dword 0x712d0022|ret |jmp dword near [0x712d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW : Unknown @ 0x715e003c (push dword 0x715d0022|ret |jmp dword near [0x715d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : Unknown @ 0x7152003c (push dword 0x71510022|ret |jmp dword near [0x7151001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW : Unknown @ 0x714e003c (push dword 0x714d0022|ret |jmp dword near [0x714d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetWriteFile : Unknown @ 0x7126003c (push dword 0x71250022|ret |jmp dword near [0x7125001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetCloseHandle : Unknown @ 0x714a003c (push dword 0x71490022|ret |jmp dword near [0x7149001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WS2_32.dll - GetAddrInfoExW : Unknown @ 0x711d003c (jmp 0xfffffffffbab2e38|jmp dword near [0x711c001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpAddRequestHeadersA : Unknown @ 0x7166003c (push dword 0x71650022|ret |jmp dword near [0x7165001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - CoInternetCombineUrlEx : Unknown @ 0x717a003c (push dword 0x71790022|ret |jmp dword near [0x7179001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : Unknown @ 0x715a003c (push dword 0x71590022|ret |jmp dword near [0x7159001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA : Unknown @ 0x7162003c (push dword 0x71610022|ret |jmp dword near [0x7161001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenA : Unknown @ 0x7136003c (push dword 0x71350022|ret |jmp dword near [0x7135001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectA : Unknown @ 0x7146003c (push dword 0x71450022|ret |jmp dword near [0x7145001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x71a0003c (jmp 0xfffffffffa3303d2|jmp dword near [0x719f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32.dll - SetUnhandledExceptionFilter : Unknown @ 0x71a4003c (push dword 0x71a30022|ret |jmp dword near [0x71a3001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetMessageA : Unknown @ 0x710e003c (push dword 0x710d0022|ret |jmp dword near [0x710d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetMessageW : Unknown @ 0x710a003c (push dword 0x71090022|ret |jmp dword near [0x7109001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - TranslateMessage : Unknown @ 0x716a003c (push dword 0x71690022|ret |jmp dword near [0x7169001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - PeekMessageW : Unknown @ 0x719c003c (push dword 0x719b0022|ret |jmp dword near [0x719b001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetClipboardData : Unknown @ 0x7170003c (push dword 0x716f0022|ret |jmp dword near [0x716f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - CreateWindowExW : c:\program files (x86)\trusteer\rapport\bin\rooksbas.dll @ 0x6a7c97e0 (jmp dword near [0x7195001e]|jmp 0x10|jmp 0xfffffffff8e697a0)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) GDI32.dll - BitBlt : Unknown @ 0x7182003c (push dword 0x71810022|ret |jmp dword near [0x7181001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WINTRUST.dll - WinVerifyTrust : Unknown @ 0x7122003c (push dword 0x71210022|ret |jmp dword near [0x7121001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32.dll - QueueUserWorkItem : Unknown @ 0x7106003c (push dword 0x71050022|ret |jmp dword near [0x7105001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - RegisterClassA : Unknown @ 0x718a003c (push dword 0x71890022|ret |jmp dword near [0x7189001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - DdeInitializeW : Unknown @ 0x7174003c (push dword 0x71730022|ret |jmp dword near [0x7173001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WS2_32.dll - getaddrinfo : Unknown @ 0x7113003c (jmp 0xfffffffffba1bd8c|jmp dword near [0x7112001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetGetCookieExW : Unknown @ 0x713a003c (push dword 0x71390022|ret |jmp dword near [0x7139001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectW : Unknown @ 0x7142003c (push dword 0x71410022|ret |jmp dword near [0x7141001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenW : Unknown @ 0x7132003c (push dword 0x71310022|ret |jmp dword near [0x7131001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x712a003c (push dword 0x71290022|ret |jmp dword near [0x7129001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x712e003c (push dword 0x712d0022|ret |jmp dword near [0x712d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW : Unknown @ 0x715e003c (push dword 0x715d0022|ret |jmp dword near [0x715d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : Unknown @ 0x7152003c (push dword 0x71510022|ret |jmp dword near [0x7151001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW : Unknown @ 0x714e003c (push dword 0x714d0022|ret |jmp dword near [0x714d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetWriteFile : Unknown @ 0x7126003c (push dword 0x71250022|ret |jmp dword near [0x7125001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetCloseHandle : Unknown @ 0x714a003c (push dword 0x71490022|ret |jmp dword near [0x7149001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WS2_32.dll - GetAddrInfoExW : Unknown @ 0x711d003c (jmp 0xfffffffffbab2e38|jmp dword near [0x711c001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpAddRequestHeadersA : Unknown @ 0x7166003c (push dword 0x71650022|ret |jmp dword near [0x7165001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - CoInternetCombineUrlEx : Unknown @ 0x717a003c (push dword 0x71790022|ret |jmp dword near [0x7179001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : Unknown @ 0x715a003c (push dword 0x71590022|ret |jmp dword near [0x7159001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA : Unknown @ 0x7162003c (push dword 0x71610022|ret |jmp dword near [0x7161001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenA : Unknown @ 0x7136003c (push dword 0x71350022|ret |jmp dword near [0x7135001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectA : Unknown @ 0x7146003c (push dword 0x71450022|ret |jmp dword near [0x7145001e]|jmp 0x10)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] 909f2dd56199fefe9037ca74866f2053
[BSP] 83c18d2e04eb08d97fa47a02d855e0ea : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 853115 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1747181568 | Size: 99999 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )
+++++ PhysicalDrive1: Seagate Expansion Desk USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive2: Seagate Backup+ Desk USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_DEL_01082015_104743.log - RKreport_DEL_01082015_105205.log - RKreport_DEL_01122015_154155.log - RKreport_DEL_01122015_155513.log
RKreport_DEL_01132015_114842.log - RKreport_DEL_01132015_144742.log - RKreport_DEL_01132015_181217.log - RKreport_DEL_12092014_163128.log
RKreport_SCN_01082015_100743.log - RKreport_SCN_01082015_105112.log - RKreport_SCN_01122015_152016.log - RKreport_SCN_01132015_114139.log
RKreport_SCN_01132015_123242.log - RKreport_SCN_01132015_181149.log - RKreport_SCN_01152015_162241.log - RKreport_SCN_12092014_161227.log
RKreport_SCN_01192015_120344.log
-
Hi pdk3001,
These IAT hooks need to be investigated.
Please follow the following process as close as possible.
1. Process Dump
- Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
- Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
- Locate the process named iexplore.exe, right click select Create Dump > Create Full Dump...
- Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
- Share the link in your next reply.
2. Additional rootkit scan
- Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
- Check Loaded Modules and Detect TDLFS file system.
- If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
(http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
- Click Start Scan and allow the scan process to run.
If threats are detected select Skip for all of them unless I instruct you otherwise.
- Click Continue
(http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
- Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your next reply.
Regards.
-
Dump file link:
explorer.zip 118MB
https://drive.google.com/file/d/0B13Khk0jqD34d2dtNU95QlB1VDA/view?usp=sharing
TDSSKiller scan:
TDSSKiller.3.0.0.42_19.01.2015_17.07.35_log.zip
https://drive.google.com/file/d/0B13Khk0jqD34b1lDeFZmUUppRUE/view?usp=sharing
-
Hi pdk3001,
Please redo a full scan with TDSSKiller and select "Cure" when DgiVecp ( ForgedFile.Multi.Generic ) is detect.
Select "Continue". The file will be replaced.
Post the logfile obtained in your next post.
Locate the following folder C:/TDSSKiller, zip it and attach it with your next post.
Regards.
-
Again thanks for the continuation:
TDSKiller log on Google Drive
https://drive.google.com/file/d/0B13Khk0jqD34VUcxS245TVdwa28/view?usp=sharing
C:\TDSKiller_Quarantine is attached
-
Hi pdk3001,
TDSSKiller seems to have deleted the file.
Could you please redo a full scan with RogueKiller and post the report obtained in your next reply ?
Regards.
-
Now 32 orange entries under AntiRootkit
DgivEcp.sys file not listed
----------------------------------------------------------------------
RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : NetUser [Administrator]
Mode : Scan -- Date : 01/21/2015 14:02:42
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 32 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - PeekMessageW : Unknown @ 0x2920000 (push dword 0x2920000|ret )
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ntdll.dll - NtMapViewOfSection : Unknown @ 0x71a0003c (jmp 0xfffffffffa1c03d2|jmp dword near [0x719f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32.dll - SetUnhandledExceptionFilter : Unknown @ 0x71a4003c (push dword 0x71a30022|ret |jmp dword near [0x71a3001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetMessageA : Unknown @ 0x70e0003c (push dword 0x70df0022|ret |jmp dword near [0x70df001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetMessageW : Unknown @ 0x70dc003c (push dword 0x70db0022|ret |jmp dword near [0x70db001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - TranslateMessage : Unknown @ 0x716a003c (push dword 0x71690022|ret |jmp dword near [0x7169001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - PeekMessageW : Unknown @ 0x719c003c (push dword 0x719b0022|ret |jmp dword near [0x719b001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - GetClipboardData : Unknown @ 0x7170003c (push dword 0x716f0022|ret |jmp dword near [0x716f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - CreateWindowExW : c:\program files (x86)\trusteer\rapport\bin\rooksbas.dll @ 0x711b97e0 (jmp dword near [0x7195001e]|jmp 0x10|jmp 0xffffffffff8597a0)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) GDI32.dll - BitBlt : Unknown @ 0x7182003c (push dword 0x71810022|ret |jmp dword near [0x7181001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WINTRUST.dll - WinVerifyTrust : Unknown @ 0x70f6003c (push dword 0x70f50022|ret |jmp dword near [0x70f5001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32.dll - QueueUserWorkItem : Unknown @ 0x70d8003c (push dword 0x70d70022|ret |jmp dword near [0x70d7001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - RegisterClassA : Unknown @ 0x718a003c (push dword 0x71890022|ret |jmp dword near [0x7189001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) USER32.dll - DdeInitializeW : Unknown @ 0x7174003c (push dword 0x71730022|ret |jmp dword near [0x7173001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WS2_32.dll - getaddrinfo : Unknown @ 0x70e5003c (jmp 0xfffffffff9b0bd8c|jmp dword near [0x70e4001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WS2_32.dll - GetAddrInfoExW : Unknown @ 0x70f1003c (jmp 0xfffffffff9bc2e38|jmp dword near [0x70f0001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetGetCookieExW : Unknown @ 0x713a003c (push dword 0x71390022|ret |jmp dword near [0x7139001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectW : Unknown @ 0x7142003c (push dword 0x71410022|ret |jmp dword near [0x7141001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenW : Unknown @ 0x7132003c (push dword 0x71310022|ret |jmp dword near [0x7131001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x7115003c (push dword 0x71140022|ret |jmp dword near [0x7114001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x7119003c (push dword 0x71180022|ret |jmp dword near [0x7118001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW : Unknown @ 0x715e003c (push dword 0x715d0022|ret |jmp dword near [0x715d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW : Unknown @ 0x7152003c (push dword 0x71510022|ret |jmp dword near [0x7151001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW : Unknown @ 0x714e003c (push dword 0x714d0022|ret |jmp dword near [0x714d001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetWriteFile : Unknown @ 0x70fa003c (push dword 0x70f90022|ret |jmp dword near [0x70f9001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetCloseHandle : Unknown @ 0x714a003c (push dword 0x71490022|ret |jmp dword near [0x7149001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpAddRequestHeadersA : Unknown @ 0x7166003c (push dword 0x71650022|ret |jmp dword near [0x7165001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) urlmon.dll - CoInternetCombineUrlEx : Unknown @ 0x717a003c (push dword 0x71790022|ret |jmp dword near [0x7179001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA : Unknown @ 0x715a003c (push dword 0x71590022|ret |jmp dword near [0x7159001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA : Unknown @ 0x7162003c (push dword 0x71610022|ret |jmp dword near [0x7161001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetOpenA : Unknown @ 0x7136003c (push dword 0x71350022|ret |jmp dword near [0x7135001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectA : Unknown @ 0x7146003c (push dword 0x71450022|ret |jmp dword near [0x7145001e]|jmp 0x10)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] 909f2dd56199fefe9037ca74866f2053
[BSP] 83c18d2e04eb08d97fa47a02d855e0ea : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 853115 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1747181568 | Size: 99999 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )
+++++ PhysicalDrive1: Seagate Backup+ Desk USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive2: Kingston DTR30G2 USB Device +++++
--- User ---
[MBR] 110e427bfe182fa71acc7b79c613f37a
[BSP] 3fe8c7cbfee808dcffa405297d024777 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 30012 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive3: Seagate Expansion Desk USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive4: Kingston DTR30G2 USB Device +++++
--- User ---
[MBR] 8b147d0808561634b1084213a196db6a
[BSP] 54750e33cdc1bf9de564de31d48ae5f4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 30012 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_DEL_01082015_104743.log - RKreport_DEL_01082015_105205.log - RKreport_DEL_01122015_154155.log - RKreport_DEL_01122015_155513.log
RKreport_DEL_01132015_114842.log - RKreport_DEL_01132015_144742.log - RKreport_DEL_01132015_181217.log - RKreport_DEL_01192015_121010.log
RKreport_DEL_12092014_163128.log - RKreport_SCN_01082015_100743.log - RKreport_SCN_01082015_105112.log - RKreport_SCN_01122015_152016.log
RKreport_SCN_01132015_114139.log - RKreport_SCN_01132015_123242.log - RKreport_SCN_01132015_181149.log - RKreport_SCN_01152015_162241.log
RKreport_SCN_01192015_120344.log - RKreport_SCN_12092014_161227.log
-
Hi pdk3001,
The computer seems clean.
Do you still need help ?
If you have any questions, feel free to ask.
Regards.
-
YES! Everything appears to be clean. Just ran another check that showed nothing. Yea horray!
I am going to review the process and my understanding to make this a better learning experience.
Thanks for being there.
-
Hi pdk3001,
I'm glad I was able to help you.
All the best.