vitin
2010-06-13, 09:05
Thank you for your patiance.
Previous answer in thread: Somthing is still going on...
http://forums.spybot.info/showthread.php?t=57596
You are correct: this scanner is not as hard on me as GMER.
RootRepeal.txt log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/13 07:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB62DE000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62A000 Size: 8192 File Visible: No Signed: -
Status: -
Name: PCI_PNP1136
Image Path: \Driver\PCI_PNP1136
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB22A5000 Size: 49152 File Visible: No Signed: -
Status: -
Name: spry.sys
Image Path: spry.sys
Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: XDva349.sys
Image Path: C:\WINDOWS\system32\XDva349.sys
Address: 0xB3AC2000 Size: 65920 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7d553e
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7d5534
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7d5543
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7d554d
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spry.sys" at address 0xb9ecdda4
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spry.sys" at address 0xb9ece132
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7d5552
#: 119 Function Name: NtOpenKey
Status: Hooked by "spry.sys" at address 0xb9eb50c0
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7d5525
#: 160 Function Name: NtQueryKey
Status: Hooked by "spry.sys" at address 0xb9ece20a
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spry.sys" at address 0xb9ece08a
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7d555c
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7d5557
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7d5548
==EOF==
Previous answer in thread: Somthing is still going on...
http://forums.spybot.info/showthread.php?t=57596
You are correct: this scanner is not as hard on me as GMER.
RootRepeal.txt log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/13 07:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB62DE000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62A000 Size: 8192 File Visible: No Signed: -
Status: -
Name: PCI_PNP1136
Image Path: \Driver\PCI_PNP1136
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB22A5000 Size: 49152 File Visible: No Signed: -
Status: -
Name: spry.sys
Image Path: spry.sys
Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: XDva349.sys
Image Path: C:\WINDOWS\system32\XDva349.sys
Address: 0xB3AC2000 Size: 65920 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7d553e
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7d5534
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7d5543
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7d554d
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spry.sys" at address 0xb9ecdda4
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spry.sys" at address 0xb9ece132
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7d5552
#: 119 Function Name: NtOpenKey
Status: Hooked by "spry.sys" at address 0xb9eb50c0
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7d5525
#: 160 Function Name: NtQueryKey
Status: Hooked by "spry.sys" at address 0xb9ece20a
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spry.sys" at address 0xb9ece08a
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7d555c
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7d5557
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7d5548
==EOF==