virus/spyware/trojan

View previous topic View next topic Go down

virus/spyware/trojan

Post by cman on Sun 17 Apr 2011, 9:49 am

Hi, I need help. All anti spyware/malware I try to run fails to execute. Only thing I could get to run is this Root Repeal report:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/04/16 18:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED007000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AD6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: pcxfbmvh.sys
Image Path: pcxfbmvh.sys
Address: 0xF7592000 Size: 61440 File Visible: No Signed: -
Status: -

Name: PROCEXP141.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
Address: 0xF786A000 Size: 17280 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7521000 Size: 49152 File Visible: No Signed: -
Status: -

Name: vbma3ba1.SYS
Image Path: C:\WINDOWS\System32\Drivers\vbma3ba1.SYS
Address: 0x86E24000 Size: 55808 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_44c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\techg\application data\t-mobile\webconnect manager\diagnostics.txt
Status: Size mismatch (API: 215818, Raw: 214149)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "" at address 0x86d089f0

#: 013 Function Name: NtAlertThread
Status: Hooked by "" at address 0x86d08ab0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "" at address 0x86d16cf0

#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x86d0b9d0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedc01020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "" at address 0x86d084e8

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0x87132510

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedc012a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedc01800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "" at address 0x870f3f80

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "" at address 0x86d085b8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "" at address 0x86d08930

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "" at address 0x870e1a10

#: 114 Function Name: NtOpenEvent
Status: Hooked by "" at address 0x870f4c18

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "" at address 0x870dcce0

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "" at address 0x86ccfc18

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "" at address 0x870f4b48

#: 206 Function Name: NtResumeThread
Status: Hooked by "" at address 0x86d17798

#: 213 Function Name: NtSetContextThread
Status: Hooked by "" at address 0x8711bb20

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "" at address 0x86ccfce8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "" at address 0x8711ba50

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedc01a50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "" at address 0x87128558

#: 254 Function Name: NtSuspendThread
Status: Hooked by "" at address 0x8711b3a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0x86d093d0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "" at address 0x8711b460

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "" at address 0x86d16ba0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "" at address 0x86d16c20

Stealth Objects
-------------------
Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_READ]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_WRITE]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_QUERY_EA]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SET_EA]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_POWER]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86e26109 Size: 3160

Object: Hidden Code [Driver: vbma3ba1Ѕ扏煓Ёః瑎て, IRP_MJ_PNP]
Process: System Address: 0x86e26109 Size: 3160

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcrnoxvivmsnfuxbtentxqbakbijbumote.sys

Service Name: vbma3ba1
Image Path: C:\WINDOWS\system32\drivers\vbma3ba1.sys

==EOF==

Look forward to your help

cman

Unborn
Unborn

Posts : 1
Joined : 2011-04-17
Operating System : windows xp

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum