Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack.NoFolderOption System Infected HELP


  • This topic is locked This topic is locked

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
Download, Save and Right click on unhide.exe and Run As Administrator from

http://download.blee...nler/unhide.exe
  • 0

Advertisements


#32
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Yep. I already ran it. After running as Admin, another pop up window has the following error. "There was a problem retrieving a necessary environment variable. Unhide has terminated".

Inside the CMD window it says " appdata doesn't exist! Unhide Terminated!". Pls advise. Thanks.
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:



set  appdata

It should say:

APPDATA=C:\Users\JayLi\AppData\Roaming

Does it?

If not I think it is set in the registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Then look for AppData in the right pane.
  • 0

#34
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Thanks Ron.

It says Environment variable appdata not defined. Its not in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders. Mine reads.....Explorer\SessionInfo\1\ with 4 subfolders including the file RunStuffHasBeenRun. *** I've been researching the hidden folder problem and people are saying the files are being hidden in a TEMP folder with the folder numbers 1, 2, 3, 4 . Could this be the folder??

Ron. Some good news I think. Doing more research, I found a program on Cnet called "Pandora Recovery". I downloaded and ran the program. I can see my old deleted files....lots of them. I think some of them are hidden because they are lighter in color than the other files. I see the user profiles, with appdata, System Volume Information, Program Files, Windows etc. Some are dated 2009. I'm going to send a screen shot. Perhaps we can do something with this, but somehow I still think I have a virus. Yea!!! I love progress. Thanks.

Attached Thumbnails

  • PandoraScreenShotJpg.jpg

  • 0

#35
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello Ron. I know you're busy putting out real fires. Any idea how we could proceed with the new discovery I mentioned in the last post? I've been trying to do research on my own, but this is way above my head. Thanks
  • 0

#36
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
Open (My) Computer, right click on the C:\ drive and select Properties then Security. Then Advanced. Make sure Administrators is highlighted then Change Permissions Click on Replace all Child Object Permissions... Highlight Administrators again and Edit. Under Allow, click Full Control and then OK. It should take it several minutes to finish as it much go down through the whole drive to make the changes. This should unhide everything. It won't bring back your links if they were moved to %temp%\smtmp\1 through 4 but you should be able to see if they are still there. Open a Command window and type

cd %temp%

then do

dir
  • 0

#37
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Thanks Ron. I took all of the steps you recommended. At the final step, after highlighting Administrators, Full control (all boxes) was already checked. I hit OK, then went back to the previous screen and hit apply, then OK. I got a few Security warnings which I checked YES. The process started, then almost immediately stopped with the Error message "Error Applying Security" C:\hiberfil.sys "The process cannot access the file because it is being used by another process". Thanks for your help.

*****Edit ***** Research shows that's the file for hibernate. I've disabled it and will proceed. Will advise. ******

Edited by Jayli, 05 October 2012 - 10:18 PM.

  • 0

#38
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Ok Ron I ran the process. There were alot of files that stated Access Denied. Some were aswBoot.exe, aswFsBlk.sys....most had asw in the beginning of the file name. I then went to CMD as Administrator, did the %temp% as state and it brought up files. Most were from Oct 3 - now.

I went to Control panel in order to SHOW Hidden files, clicked the radio button then clicked OK. Went right back and it reverted right back to Don't Show Hidden files.

As stated, I've been doing some research. Found this on Toms Hardware. It's supposed to fix the SHOW Hidden files problem. What do you think? Thanks.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID"="shell.hlp#51131"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
You can try the registry bits. Don't think it will work because there is so much missing from your registry but who knows. Shouldn't hurt anything.
  • 0

#40
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
You're correct Ron. Didn't work. Oh, and I was looking at the registry and found alot of AVG antivirus folders. I uninstalled AVG already w Revo Uninstaller. It never worked right on this system. There are so many files left in the registry. Is this normal? Could AVG still be messing with my computer? Thanks.
  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
Download and save the AVG removal tool
http://download.avg....6_2011_1184.exe
right click on the tool and Run as Admin
  • 0

#42
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Thanks Ron. Ran that file and guess it's pretty much gone. Still see some AVG drivers, etc in the registry, but on to the next thing. Ran GMER again. When the GMER program is up, it looks like I can see the hidden files like the C:\Users\Jayli\AppData\Local file, which cannot be found normally when using the CMD or search function(s). Here's the GMER log and will attach a couple of screen shots from GMER. On the GMER Rootkit Tab, there are 4 Text files with no Name and no Value. Nothing was flagged as a virus, so I don't know if this will help or not. Thanks again.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-06 14:53:32
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 FUJITSU_MHZ2080BH_G2 rev.00000009
Running: nzxb917n.exe; Driver: C:\Windows\TEMP\fgdcyuog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8307A579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8309EF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 214 830A6714 4 Bytes [08, F7, 84, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 830A673C 4 Bytes [C8, 67, 89, 8E] {ENTER 0x8967, 0x8e}
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 830A679C 4 Bytes [1C, 01, 85, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F0 830A67F0 8 Bytes [28, AF, 85, 8D, 74, AF, 85, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 2FC 830A67FC 4 Bytes [F6, B0, 85, 8D]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\SAiDownloaderVista.exe[432] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\SignWarehouse\Vinyl Express LXi\Program\SAiDownloaderVistaUI.exe[500] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\csrss.exe[504] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\wininit.exe[544] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\csrss.exe[564] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text ...
.text C:\Windows\system32\Dwm.exe[976] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 000603FC
.text C:\Windows\system32\Dwm.exe[976] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 000601F8
.text C:\Windows\system32\Dwm.exe[976] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[976] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 000F0A08
.text C:\Windows\system32\Dwm.exe[976] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 000F03FC
.text C:\Windows\system32\Dwm.exe[976] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 000F0804
.text C:\Windows\system32\Dwm.exe[976] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 000F01F8
.text C:\Windows\system32\Dwm.exe[976] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 000F0600
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1044] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\WUDFHost.exe[1308] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text ...
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1756] kernel32.dll!SetUnhandledExceptionFilter 764C3142 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1756] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1784] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1924] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2004] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text ...
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 00210A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 002103FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 00210804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 002101F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 00210600
.text C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe[2172] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2208] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\sppsvc.exe[2276] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 000D0A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 000D03FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 000D0804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 000D01F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2904] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 000D0600
.text C:\Windows\Explorer.EXE[2944] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 000603FC
.text C:\Windows\Explorer.EXE[2944] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 000601F8
.text C:\Windows\Explorer.EXE[2944] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\Explorer.EXE[2944] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 00150A08
.text C:\Windows\Explorer.EXE[2944] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 001503FC
.text C:\Windows\Explorer.EXE[2944] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 00150804
.text C:\Windows\Explorer.EXE[2944] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 001501F8
.text C:\Windows\Explorer.EXE[2944] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 00150600
.text C:\Windows\system32\svchost.exe[3180] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[3180] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[3180] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3348] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[3348] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[3348] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3348] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 00290A08
.text C:\Windows\system32\svchost.exe[3348] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 002903FC
.text C:\Windows\system32\svchost.exe[3348] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 00290804
.text C:\Windows\system32\svchost.exe[3348] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 002901F8
.text C:\Windows\system32\svchost.exe[3348] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 00290600
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 001603FC
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 001601F8
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 00220A08
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 002203FC
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 00220804
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 002201F8
.text C:\Users\JayLi\Desktop\nzxb917n.exe[3552] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 00220600
.text C:\Windows\system32\SearchIndexer.exe[3584] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 000603FC
.text C:\Windows\system32\SearchIndexer.exe[3584] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 000601F8
.text C:\Windows\system32\SearchIndexer.exe[3584] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 00100A08
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 001003FC
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 00100804
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 001001F8
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 00100600
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] ntdll.dll!LdrUnloadDll 77A0BE7F 5 Bytes JMP 001603FC
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 001601F8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 00210A08
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] USER32.dll!UnhookWinEvent 761DD924 5 Bytes JMP 002103FC
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 00210804
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] USER32.dll!SetWinEventHook 761E507E 5 Bytes JMP 002101F8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3968] USER32.dll!SetWindowsHookExA 76206DFA 5 Bytes JMP 00210600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3992] kernel32.dll!GetBinaryTypeW + 70 764D7964 1 Byte [62]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E8AE966]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \Driver\BTHUSB \Device\00000073 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000075 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8323FF59 5 Bytes JMP 8E8AB806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 83259C5F 5 Bytes JMP 8E8AD338 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 832A40EA 4 Bytes CALL 8D851B07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 832AC1C5 4 Bytes CALL 8D851B1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 83311E52 7 Bytes JMP 8E8AE96A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001a6bf9aff0 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bf9aff0
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001a6bf9aff0 (not active ControlSet)
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\[email protected] 0x00 0x9F 0xA0 0x38 ...

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8D84F708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8E8967C8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8D85011C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8D85AF28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8D85AF74]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8D85B0F6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8D85AE96]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8E896BBA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8D85AEDE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8D850310]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8D850498]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8D85B0B0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8D850A9C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8D84F756]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8E8968AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8D84F3BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8D84F7A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8D854456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8D851464]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8D85AF52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8D85AF96]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8D85B11A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8D85AEBC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8D85B03A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8D85AF06]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8D85B0D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8E896A2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8D851330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8D85106C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8D84F7F2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8D84F840]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8D85091C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8D84F448]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8D84F5F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8D84F59E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8D850BFE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8D850D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8D84F668]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8E896AF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8D850794]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8D84F88E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8E896962]

---- EOF - GMER 1.0.15 ----

Attached Thumbnails

  • GMERScreenShopt10062012.jpg
  • GMERScreenShopt10062012a.jpg

  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
attrib -r -s -h \users\JayLi /s /d


Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

If this works it should go through all of the file and folders below \users\jayli and make them visible.
  • 0

#44
Jayli

Jayli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
It did not help the Jayli folder, but I do see the Public folder with info. Users Public Appdata Local Temp. Had to reinstall Malwarebytes, b/c of a flaw in their Trial period. Just ran it again and it didn't find any malware. I did notice that it didn't scan P2P. I think it said the malwarebytes disabled it. The scan took almost 2 hours this time. I've noticed that space is being used quickly on my HD. When I started this post, I'm almost sure I had about 20 gigs free space. Now it's about 13 or so. Oh yeah, while using the GMER, I saw a lot of Shadow copy files...numbered as high as 31. I've been searching through the old posts here to see if anyone had or has similar pc symptoms. Oh well, here's the malwarebytes log. Thanks again.

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.06.05

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
JayLi :: LISETTEMILLER [administrator]

Protection: Enabled

10/6/2012 5:43:14 PM
mbam-log-2012-10-06 (17-43-14).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 477663
Time elapsed: 1 hour(s), 53 minute(s), 5 second(s)


Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
cd \users\JayLi

dir /ah /s > \junk.txt


This should put a list of all of the hidden files into C:\junk.txt

Attach the file to your next post.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP