CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[IN PROGRESS]Urgent Help required- please see HJT log (Trojan.mebroot.B)
Goto page Previous  1, 2, 3, 4, 5, 6  Next
 
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
YounGun

1st Responder
Site Moderator

Joined: Dec 11, 2004
Posts: 4324

1st Responders Moderators MVP Rootkit Responders SRT Team F@H

PostPosted: Sun Sep 21, 2008 8:50 pm    Post subject:
Reply with quote

Hi,

I can't download the file, could you please copy/paste it in your next reply?

Thanks


_________________
IT Stuff
Back to top
View users profile Send private message Visit posters website
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Wed Sep 24, 2008 11:24 am    Post subject:
Reply with quote

See below- RK log.

Note: I've had problems getting onto the site in the last few days. Have the servers been overloaded?

Cheers.


HKU\.DEFAULT\Control Panel\International 16/04/2008 20:44 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 16/04/2008 20:44 0 bytes Security mismatch.
HKU\S-1-5-21-2577847814-993760150-4114403836-1007\Control Panel\International 16/04/2008 20:44 0 bytes Security mismatch.
HKU\S-1-5-21-2577847814-993760150-4114403836-1007\Control Panel\International\Geo 16/04/2008 20:44 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 16/04/2008 20:44 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 16/04/2008 20:44 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 21/08/2004 14:39 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 21/08/2004 14:39 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 21/08/2004 14:05 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 15/09/2008 22:57 80 bytes Data mismatch between Windows API and raw hive data.
Back to top
View users profile Send private message
YounGun

1st Responder
Site Moderator

Joined: Dec 11, 2004
Posts: 4324

1st Responders Moderators MVP Rootkit Responders SRT Team F@H

PostPosted: Fri Sep 26, 2008 8:03 am    Post subject:
Reply with quote

Hi,

Backup all your important stuff on an external place.

1. boot off the XP installation CD
2. Press R for repair
3. In recovery console type the following: fixmbr \device\harddrive0 and press "Y" when you are prompted.


_________________
IT Stuff
Back to top
View users profile Send private message Visit posters website
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Sat Sep 27, 2008 6:05 pm    Post subject:
Reply with quote

Hi,

I tried this. However I had an error message when trying to get into the recovery console- as follows:

"Windows cannot startbecause the following file is missing
<windows root>\system32\hal\dll

Also fixmbr....... could not be found.

Is there an alternative method of getting this trojan of my system or re-install the missing DLL and fixmbr?

Also, GMER scan show the following
\Device\/harddisk0\DR0 Sector 61: malicious code@ sector 0x22ef2ac3 Size 0x1fd

and

\Device\/harddisk0\DR0 sector 62: copy of mbr

Cheers.
Back to top
View users profile Send private message
YounGun

1st Responder
Site Moderator

Joined: Dec 11, 2004
Posts: 4324

1st Responders Moderators MVP Rootkit Responders SRT Team F@H

PostPosted: Mon Sep 29, 2008 3:54 pm    Post subject:
Reply with quote

Hi,

I have moved your topic to the Rootkit forum so one of our experts here can have a look at it.


_________________
IT Stuff
Back to top
View users profile Send private message Visit posters website
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Mon Sep 29, 2008 8:20 pm    Post subject:
Reply with quote

Ok thanks. Hope to hear from one of the Rootkit experts soon.
Back to top
View users profile Send private message
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Fri Oct 10, 2008 1:07 pm    Post subject:
Reply with quote

Anyone out there that can help? (desperate).

Thanks.
Back to top
View users profile Send private message
negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5393

Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Security Experts SRT

PostPosted: Sun Oct 26, 2008 2:19 am    Post subject:
Reply with quote

Hi Kash3,

Download mbr.exe and save to your desktop:
http://www2.gmer.net/mbr/mbr.exe

Double-click mbr.exe to run the program

It will immediately create a log file called mbr.log on your desktop. Copy and paste the content of that file in your next reply.


_________________
Negster22 - MS MVP - Consumer Security 2006-2008 image
Back to top
View users profile Send private message Visit posters website
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Sun Oct 26, 2008 4:25 pm    Post subject:
Reply with quote

Hi Negster22,

This is the mbr log following gmer scan as requested.

Thanks.


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x22ef2ac3 size 0x1fd !
copy of MBR has been found in sector 62 !

----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------

I Don't know if this will help, but I've also added additional results taken from GMER 1.0.14.14536- as follows:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-26 16:20:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8AB23C08 ZwAllocateVirtualMemory
SSDT 8AB5B388 ZwCreateKey
SSDT 8AA9B8F8 ZwCreateProcess
SSDT 8AB5B438 ZwCreateProcessEx
SSDT 8AA78F78 ZwCreateThread
SSDT 8AADA150 ZwDeleteKey
SSDT 8AB5C208 ZwDeleteValueKey
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB0C93B4C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB0C93C3A]
SSDT 8AB491D8 ZwQueueApcThread
SSDT 8AB24120 ZwReadVirtualMemory
SSDT 8AB5A0C0 ZwRenameKey
SSDT 8AB1E1E8 ZwSetContextThread
SSDT 8AB3E4F0 ZwSetInformationKey
SSDT 8AA78E90 ZwSetInformationProcess
SSDT 8AAAD240 ZwSetInformationThread
SSDT 8AB3B348 ZwSetValueKey
SSDT 8AA78DA8 ZwSuspendProcess
SSDT 8AA9BFA8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB38BDF20]
SSDT 8AA78CC0 ZwTerminateThread
SSDT 8AA9B020 ZwWriteVirtualMemory

Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwClose [0xB100E1CF]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwCreateSection [0xB100E43A]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwSetInformationFile [0xB100D916]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwWriteFile [0xB100D562]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) IoCreateFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtClose
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtCreateSection
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtSetInformationFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtWriteFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!IoCreateFile 8056BB8C 5 Bytes JMP B100D155 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationFile 80570304 5 Bytes JMP B100D91A \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtWriteFile 805722C8 7 Bytes JMP B100D566 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtCreateSection 805A076C 7 Bytes JMP B100E43E \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtClose 805B1CC6 5 Bytes JMP B100E1D3 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE Fastfat.SYS B14239C8 7 Bytes JMP B100EA22 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
? C:\DOCUME~1\MR1981~1.EDITED BY SYSTEM ADIMISTRATOR\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs AL_ADSFilter.sys (Aluria, Active Defense Shield, IFS Filter/Aluria Software, LLC)

Device \Driver\Tcpip \Device\Ip 89F1E148
Device \Driver\Tcpip \Device\Ip 893152A8
Device \Driver\Tcpip \Device\Ip 892BB2A8

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Ip GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)

Device \Driver\Tcpip \Device\Tcp 89F1E148
Device \Driver\Tcpip \Device\Tcp 893152A8
Device \Driver\Tcpip \Device\Tcp 892BB2A8

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Tcp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)

Device \Driver\Tcpip \Device\Udp 89F1E148
Device \Driver\Tcpip \Device\Udp 893152A8
Device \Driver\Tcpip \Device\Udp 892BB2A8

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Udp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)

Device \Driver\Tcpip \Device\RawIp 89F1E148
Device \Driver\Tcpip \Device\RawIp 893152A8
Device \Driver\Tcpip \Device\RawIp 892BB2A8

AttachedDevice \Driver\Tcpip \Device\RawIp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device \Driver\Tcpip \Device\IPMULTICAST 89F1E148
Device \Driver\Tcpip \Device\IPMULTICAST 893152A8
Device \Driver\Tcpip \Device\IPMULTICAST 892BB2A8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???B?????????????r???????????4??????????????????????????GenFloppyDisk?????????X??B???'???????????B??????????So???????C???B?B?B?B?5???????????@????????????N??B???6???????????????B???v??s???sw_bdfndisfmp????????????????????????????????????????????????4???????????+???????????4???????????????????????5???????????D???????????6??? ??B???p?????940??STORAGE\Volume??ht??? ??B??????????sW???????t???Confused?RawPort?????sw_BdfndisfMP???????USB?s???? ???????B???????????B??????????^???&????????????????????4??\Device\{51BA2B7F-FBA3-4127-B247-C2713987233D}??????? ???????<???????????????????????????????e??? ???B????????????????`??B???e???C????0??B??????????sw_bdfndisfmp????????B???C?????d?C???????????v???????B??? T??B???&???????&??sw_bdfndisf??????B??USB Receiver?e??Unimodem Half-Duplex Audio Device???????????????????????? D??B??????????????MODEMWAVE\RockwellVoiceModemWave?????????3??? ???????B???????????????????????????????f??{4D36E97D-E325-11CE-BFC1-08002BE10318}???e????N??B???B????D??'????4??B???}?g????00?????????B???(????{4D

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x22ef2ac3 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----
Back to top
View users profile Send private message
negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5393

Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Security Experts SRT

PostPosted: Sun Oct 26, 2008 6:16 pm    Post subject:
Reply with quote

You're welcome.

Let's try this:

  • Open a command prompt by doing the following:
  • Click Start -> run
  • type cmd
  • Hit Enter


You should now be in your Documents and Settings directory for your userprofile. For example:
C:\Documents and Settings\<your user profile name>

Copy and paste the following in command in bold onto the command line:
  • cd desktop
  • Then hit Enter

You should now be in your desktop directory. For example:
C:\Documents and Settings\<your user profile name>\desktop\

Verify that you are in your desktop directory before proceeding.

Copy and paste the following onto the command line:
  • mbr.exe -f
  • Hit Enter
  • Then exit the command prompt


This should replace the infected MBR with a backup of the original copy in Sector 62.

Copy and paste back the contents of your new mbr.log on your desktop


_________________
Negster22 - MS MVP - Consumer Security 2006-2008 image
Back to top
View users profile Send private message Visit posters website
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Mon Oct 27, 2008 5:47 pm    Post subject:
Reply with quote

Negster22, please see below- the new MBR log.


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x22ef2ac3 size 0x1fd !
copy of MBR has been found in sector 62 !
Back to top
View users profile Send private message
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Mon Oct 27, 2008 7:46 pm    Post subject:
Reply with quote

See additional info- hope this helps.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-27 19:32:27
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8AB25288 ZwAllocateVirtualMemory
SSDT 8AB5A840 ZwCreateKey
SSDT 8AB3B348 ZwCreateProcess
SSDT 8AA821E8 ZwCreateProcessEx
SSDT 8AAA1138 ZwCreateThread
SSDT 8AA823F0 ZwDeleteKey
SSDT 8AB3E4F0 ZwDeleteValueKey
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB05FBB4C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB05FBC3A]
SSDT 8AB1F020 ZwQueueApcThread
SSDT 8AAA1260 ZwReadVirtualMemory
SSDT 8AAA1348 ZwRenameKey
SSDT 8AAF4DC0 ZwSetContextThread
SSDT 8AB438C8 ZwSetInformationKey
SSDT 8AA829C0 ZwSetInformationProcess
SSDT 8AA82AB0 ZwSetInformationThread
SSDT 8AAA1020 ZwSetValueKey
SSDT 8AA827F0 ZwSuspendProcess
SSDT 8AB481E8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB3C8DF20]
SSDT 8AA828D8 ZwTerminateThread
SSDT 8AAF3268 ZwWriteVirtualMemory

Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwClose [0xB12761CF]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwCreateSection [0xB127643A]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwSetInformationFile [0xB1275916]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwWriteFile [0xB1275562]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) IoCreateFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtClose
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtCreateSection
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtSetInformationFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtWriteFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!IoCreateFile 8056BB8C 5 Bytes JMP B1275155 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationFile 80570304 5 Bytes JMP B127591A \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtWriteFile 805722C8 7 Bytes JMP B1275566 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtCreateSection 805A076C 7 Bytes JMP B127643E \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntkrnlpa.exe!NtClose 805B1CC6 5 Bytes JMP B12761D3 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE Fastfat.SYS B17CB9C8 7 Bytes JMP B1276A22 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
? System32\Drivers\5c7777ac.sys The system cannot find the file specified. !
? System32\Drivers\377a1d4a.sys The system cannot find the file specified. !
? C:\DOCUME~1\MR1981~1.EDITED BY ADMINISTRATOR\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA4C1B62] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4C1B90] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA4C186C] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA4C18BA] GRFILTER.sys (NDIS helper driver/Authentium, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs AL_ADSFilter.sys (Aluria, Active Defense Shield, IFS Filter/Aluria Software, LLC)
AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys

Device \Driver\Tcpip \Device\Ip 891FF2A8

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Ip GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)

Device \Driver\Tcpip \Device\Tcp 891FF2A8

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Tcp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)

Device \Driver\Tcpip \Device\Udp 891FF2A8

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)
AttachedDevice \Driver\Tcpip \Device\Udp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)

Device \Driver\Tcpip \Device\RawIp 891FF2A8

AttachedDevice \Driver\Tcpip \Device\RawIp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device \Driver\Tcpip \Device\IPMULTICAST 891FF2A8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:912 B028DAB0

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???O?&??SSKBFD???P ??????????r???????!?%?E?;?E?M?<?O?e??? ???O???9???????9??Volume??????IEEE 1394 OHCI Compliant Host Controller Vendor????????????????????s?????O??21af6a87?? ??????O???e??sI??? ???????O???????????<?v?????????????????????????????????????????????????(???????O???C???e?????????????????????????????#t????????O???l???e???O???????????&???e??{8ECC055D-047F-11D1-A537-0000F8753ED1}????X??? ????????????????????? ???????????????_t??{8ECC055D-047F-11D1-A537-0000F8753ED1}\0003?ccP?A-E325-11CE-BFC1-08002BE10318}\0012?????USB?????LegacyDriver????LegacyDriver????{4D36E96A-E325-11CE-BFC1-08002BE10318}\0018??????????????????????????????????????????????????????????????????????????????????????????????????"?????????????????????????????#???%?????????O???V??s?0??????????????????????O????@??P?????????n?????????O???o??????????????????%SystemRoot%\system32\wuaucpl.cpl;%SystemRoot%\system32\wuaucpl.cpl.mui??????O??SSHRMD???P???????????????????????N?N?B?N?B?B?B?O?s?????????????????????????????????????????????????????????

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x22ef2ac3 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----
Back to top
View users profile Send private message
negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5393

Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Security Experts SRT

PostPosted: Mon Oct 27, 2008 9:28 pm    Post subject:
Reply with quote

You do not currently have an MBR rootkit present.

The MBR is stored on sector 0, and the disk modifications you show are confined to sectors 62 and 63. There is also NO sign of hidden threads that are characteristic of the MBR rootkit in the Gmer log.

This image shows what you would be seeing upon launching Gmer without even performing a scan, if the MBR rootkit were active. The red entry and the hidden threads are the earmarks of an active MBR rootkit infection:
http://wiki.castlecops.com/Image:MBRRootkitGmerScan.JPG

What you appear do have are remnants of an MBR infection, but I think some scanner or tool has already repaired MBR Sector 0. You see how mbr.exe reports "user & kernel MBR OK". It only repairs sector 0, if it is infected.

I would follow-up by doing a couple scans to make sure no other malware is lurking.

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop or a convenient location of your choosing from one of the following websites:

MBAM provides support for Windows 2000, XP, and Vista.

BestTechie.net
http://www.besttechie.net/tools/mbam-setup.exe
or
MajorGeeks.com:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, verify that a checkmark is placed next to the following two options:

  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' anti-Malware
  • Click Finish.
  • MBAM will automatically update, if the above options are checked.
  • Once the program launches, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is finished, a log will open in Notepad with the scan results. Please post the results in your next reply, along with a new HJT log.


You may be prompted to restart your computer (see Note), in which case you can retrieve the log afterwards by reopening MBAM and selecting the Logs tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with a prompt. Please respond by clicking OK, and this will allow MBAM to continue with removal process. If MBAM asks to restart the computer, you should immediately comply with that request, so all malware traces are satisfactorily removed

=================

Please perform a scan with the ESET online virus scanner:
http://www.eset.com/onlinescan/index.php
  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the box that enables removal of all threats found

When the scan is done, please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back:

1. The ESET scan report - C:\Program Files\EsetOnlineScanner\log.txt[/b]

2. The MBAM scan report


_________________
Negster22 - MS MVP - Consumer Security 2006-2008 image
Back to top
View users profile Send private message Visit posters website
Kash3

Sergeant
Sergeant


Joined: Jan 17, 2008
Posts: 97
PostPosted: Tue Oct 28, 2008 12:46 pm    Post subject:
Reply with quote

Hi Negster22,

See logs below. I took the liberty of performing a quick and full MBAM scans. Also added Bitdefender log as well.

Many thanks for your help.



MBAM Quick scan

Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 5.1.2600 Service Pack 3

27/10/2008 21:28:46
mbam-log-2008-10-27 (21-28-46).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 176766
Time elapsed: 1 hour(s), 12 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------------

MBAM- Full Scan

Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 5.1.2600 Service Pack 3

27/10/2008 21:38:58
mbam-log-2008-10-27 (21-38-5Cool.txt

Scan type: Quick Scan
Objects scanned: 23792
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------------


ESET online scan

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3560 (20081027)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=aa1750e59ae1ae45aeea5b9d5568f3c1
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2008-10-28 12:00:30
# local_time=2008-10-28 12:00:30 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=476235
# found=0
# scan_time=6593

-----------------------------------------------------------------------------------

BitDefender (hope this is ok with you). It' picked up Mebroot. Also not sure why some files are password protected as you'll see nearer the bottom of the log. Any ideas?

BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 10:42:24 28/10/2008
Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1225190544_1_02.xml
Scan Paths:
Path0000: C:\
Path0001: D:\

Scan Options:
Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes

Target selection options:
Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target Processing
Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None

Scan engines summary
Number of virus signatures : 1968617
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
Archive plugins : 43
System plugins : 5
Unpack plugins : 7

Overall scan summary
Scanned items : 497131
Infected items : 1
Suspicious items : 0
Resolved items : 0
Individual viruses found : 1
Scanned directories : 5981
Scanned boot sectors : 5
Scanned archives : 13686
Input-output errors : 139
Scan time : 00:02:58:49
Files per second : 46

Scanned proce