PDA

View Full Version : to KEN545: RootRepeal.txt: continu: Somthing is still going on...



vitin
2010-06-29, 02:12
I repeat my answer in this thread. This because my post dd 13/06/2010 missed an answer.

Previous answer in thread: Somthing is still going on...
http://forums.spybot.info/showthread.php?t=57596

You are correct: this scanner is not as hard on me as GMER.


RootRepeal.txt log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/13 07:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB62DE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP1136
Image Path: \Driver\PCI_PNP1136
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB22A5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spry.sys
Image Path: spry.sys
Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: XDva349.sys
Image Path: C:\WINDOWS\system32\XDva349.sys
Address: 0xB3AC2000 Size: 65920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7d553e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7d5534

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7d5543

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7d554d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spry.sys" at address 0xb9ecdda4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spry.sys" at address 0xb9ece132

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7d5552

#: 119 Function Name: NtOpenKey
Status: Hooked by "spry.sys" at address 0xb9eb50c0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7d5525

#: 160 Function Name: NtQueryKey
Status: Hooked by "spry.sys" at address 0xb9ece20a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spry.sys" at address 0xb9ece08a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7d555c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7d5557

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7d5548

==EOF==

ken545
2010-07-03, 05:09
Hello Vitin,

Just so you know the way the forum works is that if there is no reply by you in 4 days than the thread is archived.

Lets start from the beginning and post a RSIT log please. Make sure your connected to the internet when you download and run this program

Random System Information Tool
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

ken545
2010-07-08, 11:19
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.