Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alpha Antivirus + Cant run programs


  • Please log in to reply
4 replies to this topic

#1 xJimba1

xJimba1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Rahway, NJ
  • Local time:01:17 AM

Posted 06 October 2009 - 09:53 AM

Hello, First I have a pc with the Alpha virus along with remnants of Windows Police.
Now, I can not run any programs from the desktop. Clicking opens the OPEN WITH box so something is wrong with my .EXE links.
I can not install or run HJT or Malware. Getting Access denied errors, missing picture errors, or it starts and just goes away.
I am at a loss, being everything I am reading to do, can't be done.
Perhaps someone can instruct me on how to re associate my .exe files and fix my authorities so I might be able to run the tools?

Thanks in advance to everyone. 1st time poster, long time reader :thumbsup:

BC AdBot (Login to Remove)

 


#2 xJimba1

xJimba1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Rahway, NJ
  • Local time:01:17 AM

Posted 06 October 2009 - 01:44 PM

***UPDATE***

Good news, Can now run programs by tweaking the registry

Bad news, Now I seem to be running AntiVirus 2010 also. Not sure how being this laptop is not connected to anything. Now my Task Manager is disable and as many times as I try to turn on DisableSR, it just goes right back to being blocked.

Perhaps a hammer will fix the issue for good?

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:17 AM

Posted 06 October 2009 - 02:13 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 xJimba1

xJimba1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Rahway, NJ
  • Local time:01:17 AM

Posted 06 October 2009 - 03:33 PM

Thank you for your help! This site is awesome. I finally got Malwarebytes to laod earlier today, but this log still shows these calc and scandisk files hidden. I will await your response before touching anything else. I dont see a FILE ATTACH option is this forum so I just pasted it in. Hope that is ok. If not I can send the report tomorrow. Thx



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 16:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBAB4D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8DDB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB76D4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\speech\speech
Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINDOWS\setup.pss\setup.pss
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\calc.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB928090\KB928090
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933566\KB933566
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: c:\windows\system32\restore\machineguid.txt
Status: Allocation size mismatch (API: 0, Raw: 8)

Path: C:\WINDOWS\Temp\TempFolder.aau\TempFolder.aau
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaa\TempFolder.aaa
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aab\TempFolder.aab
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aac\TempFolder.aac
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aad\TempFolder.aad
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aae\TempFolder.aae
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaf\TempFolder.aaf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aag\TempFolder.aag
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aah\TempFolder.aah
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aai\TempFolder.aai
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaj\TempFolder.aaj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aak\TempFolder.aak
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aal\TempFolder.aal
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aam\TempFolder.aam
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aan\TempFolder.aan
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aao\TempFolder.aao
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaq\TempFolder.aaq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aar\TempFolder.aar
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aas\TempFolder.aas
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aat\TempFolder.aat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aap\TempFolder.aap
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abz\TempFolder.abz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aca\TempFolder.aca
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acb\TempFolder.acb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acc\TempFolder.acc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acd\TempFolder.acd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ace\TempFolder.ace
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acf\TempFolder.acf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acg\TempFolder.acg
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ach\TempFolder.ach
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aci\TempFolder.aci
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acj\TempFolder.acj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ack\TempFolder.ack
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acl\TempFolder.acl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acm\TempFolder.acm
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acn\TempFolder.acn
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aco\TempFolder.aco
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acp\TempFolder.acp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acr\TempFolder.acr
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acs\TempFolder.acs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.act\TempFolder.act
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acu\TempFolder.acu
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acv\TempFolder.acv
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acw\TempFolder.acw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acx\TempFolder.acx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acy\TempFolder.acy
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acz\TempFolder.acz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ada\TempFolder.ada
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adb\TempFolder.adb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adc\TempFolder.adc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.add\TempFolder.add
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ade\TempFolder.ade
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adf\TempFolder.adf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adg\TempFolder.adg
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adh\TempFolder.adh
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adj\TempFolder.adj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adk\TempFolder.adk
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adl\TempFolder.adl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adm\TempFolder.adm
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adn\TempFolder.adn
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ado\TempFolder.ado
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adp\TempFolder.adp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adq\TempFolder.adq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adr\TempFolder.adr
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ads\TempFolder.ads
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adt\TempFolder.adt
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adu\TempFolder.adu
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adv\TempFolder.adv
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adw\TempFolder.adw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adx\TempFolder.adx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ady\TempFolder.ady
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adz\TempFolder.adz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aea\TempFolder.aea
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aeb\TempFolder.aeb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aec\TempFolder.aec
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abh\TempFolder.abh
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abi\TempFolder.abi
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abj\TempFolder.abj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abk\TempFolder.abk
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abl\TempFolder.abl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abm\TempFolder.abm
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abn\TempFolder.abn
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abo\TempFolder.abo
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abp\TempFolder.abp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abq\TempFolder.abq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abr\TempFolder.abr
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abs\TempFolder.abs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abt\TempFolder.abt
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abu\TempFolder.abu
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abv\TempFolder.abv
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abw\TempFolder.abw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abx\TempFolder.abx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abg\TempFolder.abg
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aby\TempFolder.aby
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acq\TempFolder.acq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adi\TempFolder.adi
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aav\TempFolder.aav
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaw\TempFolder.aaw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aax\TempFolder.aax
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aay\TempFolder.aay
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaz\TempFolder.aaz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aba\TempFolder.aba
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abb\TempFolder.abb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abc\TempFolder.abc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abd\TempFolder.abd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abe\TempFolder.abe
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abf\TempFolder.abf
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\191c899196624d7a81a735dad2332655\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\88fdd08cff3165ea248229dabb1bb718\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\9093e8d3e790b5dec631e4416d3eb283\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\c9bf12dbe4014749ca9bd94c51618107\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cadf7c8240793a561791dc3bd3e91a5e\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\6ddf94f5c8129ac27a2cd55cfb9e0783\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e85f60fa51e40d03873c40d08cf4725c\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8330ee40

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x833e9348

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x833e4460

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x833aa180

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8335d1d8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x833e92d0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8331f130

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8330eeb8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8330ed50

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x833ab148

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8330efa8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x833df1e8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x833e7d10

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8330e020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x833ee0f8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x833971e8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8330ef30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x833a9898

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8335e8b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8330edc8

Stealth Objects
-------------------
Object: Hidden Module [Name: evebxasus.dll]
Process: Explorer.EXE (PID: 1476) Address: 0x03290000 Size: 319488

Object: Hidden Module [Name: evebxasus.dll]
Process: IEXPLORE.EXE (PID: 3468) Address: 0x01950000 Size: 319488

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x82b20898 Size: 1896

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8302ceb0 Size: 336

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x830309a0 Size: 589

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8302ca40 Size: 162

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x83035b38 Size: 1002

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x83037eb0 Size: 337

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f87198 Size: 3042

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f851b0 Size: 2401

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x82b1e998 Size: 1640

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b1e920 Size: 1760

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b1e8a8 Size: 1880

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b1db68 Size: 448

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b1daf0 Size: 568

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b1da78 Size: 688

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b1da00 Size: 808

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b1d988 Size: 928

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b1d910 Size: 1048

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b1d898 Size: 1168

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x82b1cfa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82b1cf30 Size: 208

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82b1ceb8 Size: 328

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82b1ce40 Size: 448

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x82b1cdc8 Size: 568

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82b1cd50 Size: 688

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82b1ccd8 Size: 808

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82b1cc60 Size: 928

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82b1cbe8 Size: 1048

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x82b1cb70 Size: 1168

==EOF==

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:17 AM

Posted 06 October 2009 - 06:41 PM

Now that you were successful in creating the Root Repeal log you need to post it in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users