Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojan Virus eek please help [Moved]


  • Please log in to reply
14 replies to this topic

#1 hjtcanyouhelpme

hjtcanyouhelpme

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 28 November 2009 - 10:36 PM

Symantec found backdoor trojan virus... it appears someone has been having their way with my computer... please let me know where to post logs etc. for help.

Have completed rootreapeal scan and have report ready for upload

I have diabled services as i could and have enabled windows firewall

cannot remove symantec enpoint to put on another antivirus as windows installer starts and stops but will not do what i need it to do (and likely other important functions have been hijacked)

Thank you for any help you can provide.

Scott

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:34 AM

Posted 28 November 2009 - 10:37 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 28 November 2009 - 10:51 PM

i now have rootrepeal, dds, and attach ready to upload. Please let me know where when to upload... Thanks, Scott

#4 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 November 2009 - 08:29 AM

Rootrepeal shows numerous backups "invisible to the windows API"
Rootrepeal also shows numerous functions hooked by "<unknown>"

#5 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 November 2009 - 09:40 AM

Should i post my logs.. ? Thank you for any help you can provide... Scott

#6 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 November 2009 - 02:41 PM

i was having challenge installing sql 2005 express windows update... could not do.

after disabling many services to stop others from controlling my machine i have now received a sql 2005 windows security update for install... should i try to install...? or could this be a way to regain control of my machine for someone else?

Thanks,

Scott

#7 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 November 2009 - 02:43 PM

the windows update states Security Update for SQL Server 2005 (KB960089)...

#8 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 November 2009 - 03:07 PM

here are some of the nastys recently found in norton events... please help me


Date and Time Risk Action Filename
11/27/2009 20:42 Downloader Log only jvmimpro.jar-6b13a7e7-7ffcb8c9.zip
11/27/2009 20:42 Downloader Cleaned by deletion vmain.class
11/27/2009 20:42 Downloader Log only bd7ce2f-63b98fc4
11/27/2009 20:42 Downloader Cleaned by deletion vmain.class

#9 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 November 2009 - 03:18 PM

upon doing some research... it appears one issue may be java and a suggestion is to uninstall all java runtime environments and updates - and then to install fresh new updated java runtime environment etc.... however, my windows installer will not work - appears hijacked or disabled through some code.... please help... thanks

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 29 November 2009 - 11:14 PM

Hello please post the rootrepeal log.
Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by boopme, 29 November 2009 - 11:15 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 30 November 2009 - 12:27 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 21:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA815B000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xA493D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C
Status: Invisible to the Windows API!

Path: C:\RRbackups\common
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\SIS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\MERGE
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\common\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\common\backups.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt0.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt1.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt2.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt3.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt4.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt5.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\css.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\mnd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\restore.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\seccache.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\secpolicy.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\settings.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtcmn.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtns.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Scott
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\TEMP
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\SIS\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\SIS\C
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\0\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data100
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data101
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data102
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data103
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data104
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data105
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data106
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data107
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data108
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data109
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data110
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data111
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data112
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data113
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data114
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data115
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data270
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data271
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data272
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data273
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data274
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data275
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data276
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data277
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data278
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data279
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data28
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data280
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data281
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data282
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data283
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data284
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data285
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data286
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data287
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data288
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data460
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data461
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data462
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data463
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data464
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data465
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data466
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data467
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data468
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data469
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data47
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data470
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data471
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data472
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data473
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data474
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data475
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data476
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data477
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data478
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data66
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data67
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data68
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data69
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data70
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data71
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data72
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data73
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data74
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data75
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data76
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data77
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data78
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data79
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data80
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data81
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data82
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data83
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data117
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data118
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data119
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data120
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data121
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data122
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data123
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data124
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data125
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data126
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data127
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data128
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data129
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data130
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data131
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data132
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data133
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data134
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data136
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data137
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data138
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data139
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data140
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data141
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data142
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data143
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data144
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data145
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data146
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data147
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data148
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data149
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data15
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data150
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data151
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data152
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data153
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data155
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data156
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data157
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data158
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data159
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data16
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data160
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data161
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data162
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data163
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data164
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data165
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data166
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data167
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data168
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data169
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data17
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data170
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data171
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data172
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data116
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data135
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data154
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data173
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data192
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data210
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data23
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data249
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data27
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data289
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data307
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data326
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data345
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data364
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data383
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data401
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data420
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data44
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data46
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data479
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data498
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data516
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data535
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data65
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data84
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data174
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data175
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data176
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data177
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data178
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data179
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data18
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data180
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data181
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data182
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data183
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data184
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data185
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data186
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data187
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data188
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data189
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data19
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data190
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data191
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data193
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data194
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data195
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data196
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data197
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data198
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data199
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data20
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data200
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data201
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data202
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data203
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data204
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data205
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data206
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data207
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data208
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data209
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data21
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data211
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data212
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data213
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data214
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data215
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data216
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data217
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data218
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data219
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data22
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data220
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data221
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data222
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data223
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data224
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data225
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data226
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data227
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data228
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data229
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data230
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data231
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data232
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data233
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data234
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data235
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data236
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data237
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data238
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data239
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data24
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data240
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data241
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data242
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data243
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data244
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data245
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data246
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data247
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data248
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data25
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data250
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data251
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data252
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data253
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data254
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data255
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data256
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data257
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data258
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data259
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data26
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data260
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data261
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data262
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data263
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data264
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data265
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data266
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data267
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data268
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data269
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data29
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data290
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data291
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data292
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data293
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data294
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data295
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data296
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data297
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data298
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data299
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data30
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data300
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data301
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data302
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data303
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data304
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data305
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data306
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data308
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data309
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data31
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data310
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data311
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data312
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data313
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data314
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data315
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data316
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data317
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data318
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data319
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data32
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data320
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data321
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data322
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data323
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data324
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data325
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data327
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data328
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data329
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data33
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data330
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data331
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data332
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data333
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data334
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data335
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data336
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data337
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data338
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data339
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data34
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data340
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data341
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data342
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data343
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data344
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data346
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data347
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data348
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data349
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data35
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data350
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data351
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data352
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data353
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data354
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data355
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data356
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data357
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data358
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data359
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data36
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data360
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data361
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data362
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data363
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data365
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data366
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data367
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\DSSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89c48ca8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89c49ca8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89f88460

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89fa9008

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89d8ed28

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89768d18

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89d2bce0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89c55d38

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89c5dca8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89c4bcb0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89d8eca8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89d78ca8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x89c47ce0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x898da980

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89d2bca8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a113ce8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89c49ce0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89d66d38

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89c47ca8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89c3aec0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89d2dca8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89c55b60

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89d30ce8

==EOF==

#12 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 30 November 2009 - 12:43 AM

Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 3

11/30/2009 12:40:27 AM
mbam-log-2009-11-30 (00-40-27).txt

Scan type: Quick Scan
Objects scanned: 127186
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 30 November 2009 - 08:07 AM

After running MBAM and selecting to remove the 1 item MBAM found (something like Open Command) my computer is now not very useable.... task bar hidden, all services appear to be controlled by someone else.... NT User... web services are in a perpetual state of "stopping"... please help me regain control of my computer

#14 hjtcanyouhelpme

hjtcanyouhelpme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 30 November 2009 - 08:09 AM

as my computer we are working to fix is very disabled at this point i am replying from a different computer

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 30 November 2009 - 12:19 PM

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech


Or you will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users