Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attacked by Windows Police Popups


  • Please log in to reply
9 replies to this topic

#1 lamago

lamago

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 19 October 2009 - 11:21 PM

My system was attacked by Anrivirus Pro i believe i am getting Windows Police popups and i cant run any anti virus programs, it disabledd Malware antivirus and Avira, i cant do a restore at all, it has disabled all programs.

I saw another post that complained of my same situation and they were asked to run the RootRepeal. Here are my results. Any help is appreciated.

RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 20:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: athibgxt.SYS
Image Path: C:\WINDOWS\System32\Drivers\athibgxt.SYS
Address: 0xB9BAC000 Size: 417792 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xAC2C0000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_viamraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_viamraid.sys
Address: 0x9BE51000 Size: 61440 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP0916
Image Path: \Driver\PCI_NTPNP0916
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9577000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_308.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Administrator\Local Settings\Apps\2.0\MTCK4D1N.T3H\6MWC0A1P.0M6\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Apps\2.0\MTCK4D1N.T3H\6MWC0A1P.0M6\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a8971e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a0297a0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_POWER]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: athibgxtȅ扏煓荈Ȃః瑎て, IRP_MJ_PNP]
Process: System Address: 0x8a5844e0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a6923e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8a1697a0 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a8991e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a6931e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a90b1e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_CREATE]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_CLOSE]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_POWER]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_PNP]
Process: System Address: 0x8a8981e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a66e3d0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a66e3d0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a66e3d0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a66e3d0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a66e3d0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a66e3d0 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a6a21e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a1247a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_CREATE]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_CLOSE]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_READ]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0cc7a0 Size: 121

Object: Hidden Code [Driver: Cdfsȅ噁灂䗰ѸȂఅ瑎獆⨀, IRP_MJ_PNP]
Process: System Address: 0x8a0cc7a0 Size: 121

==EOF==

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 20 October 2009 - 12:26 PM

Hello please rerun Rootrepeal. This time select only FILES in step 6.

Can you run MBAM ?
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lamago

lamago
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 20 October 2009 - 03:01 PM

Hi, Thanks for you help. I re-ran the RootRepeal with Files only. Here is the log. I tried to run MBAM. I saved the file to my desktop and renamed it zztoy.exe. Once I run the file zztoy.exe I get a pop-up telling me "Unable to execute file MBAM.exe" Should I rename that one within the profile file folder?


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/20 12:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Administrator\Local Settings\Apps\2.0\MTCK4D1N.T3H\6MWC0A1P.0M6\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Apps\2.0\MTCK4D1N.T3H\6MWC0A1P.0M6\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 20 October 2009 - 03:08 PM

Yes...
Some types of malware will disable MBAM (MalwareBytes) and other security tools. If MBAM will not install, try renaming it.

Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first
***
Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lamago

lamago
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 20 October 2009 - 03:26 PM

I renamed the file MBAM.exe to zztoy.bat and the program installed.when i double click to run it pop ups a signature validation option, which if i check or not, it does not launch the program. when i right click on it and click run as it ask " choose correspondents" which then just does not do anything. please help to run

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 20 October 2009 - 03:35 PM

Something (the malware ) is stopping MBAM in memory. Of the most popular one's out there we will try to stop it's cause.
Use Process Explorer to see what's running at startup.

Please download and run Process Explorer v11.33

Now look for any/all of these.
Right click with your mouse to highlight. Then go to top of page and kill them by clicking the red X along the toolbar.
Under explorer.exe

av360.exe
453732.exe (look for a brown shield and something like... 453732.exe it can be different numbers)
tsc.exe (has a blue/white stripe shield).


If still no joy.
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 lamago

lamago
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 20 October 2009 - 03:50 PM

i ran the program you ask and the only files under explorer.exe where "procexp.exe" and "ctfmon.exe" currently rebooting and going to reinstall mbam any thoughts?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 20 October 2009 - 03:59 PM

I need you to do this so we can tell exactly what you have here.
Please search your drive for ctfmon.exe
Next upload the file(s) to Virus Total
Post their reply here,thanks.

Edited by boopme, 20 October 2009 - 03:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lamago

lamago
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 20 October 2009 - 04:13 PM

File has already been analysed:
MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
First received: 2009.02.11 22:51:11 UTC
Date: 2009.10.20 18:25:20 UTC [<1D]
Results: 1/41
Permalink: analisis/5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1-1256063120

VirusTotalLink

#10 lamago

lamago
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 20 October 2009 - 04:15 PM

I re-installed MBAM, however when I try to run it I get the error 'MBAM.EXE' cannot be found. Once I go into program files there is no such file.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users