-
to KEN545: RootRepeal.txt: continu: Somthing is still going on...
I repeat my answer in this thread. This because my post dd 13/06/2010 missed an answer.
Previous answer in thread: Somthing is still going on...
http://forums.spybot.info/showthread.php?t=57596
You are correct: this scanner is not as hard on me as GMER.
RootRepeal.txt log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/13 07:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB62DE000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62A000 Size: 8192 File Visible: No Signed: -
Status: -
Name: PCI_PNP1136
Image Path: \Driver\PCI_PNP1136
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB22A5000 Size: 49152 File Visible: No Signed: -
Status: -
Name: spry.sys
Image Path: spry.sys
Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: XDva349.sys
Image Path: C:\WINDOWS\system32\XDva349.sys
Address: 0xB3AC2000 Size: 65920 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7d553e
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7d5534
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7d5543
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7d554d
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spry.sys" at address 0xb9ecdda4
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spry.sys" at address 0xb9ece132
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7d5552
#: 119 Function Name: NtOpenKey
Status: Hooked by "spry.sys" at address 0xb9eb50c0
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7d5525
#: 160 Function Name: NtQueryKey
Status: Hooked by "spry.sys" at address 0xb9ece20a
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spry.sys" at address 0xb9ece08a
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7d555c
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7d5557
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7d5548
==EOF==
-
Hello Vitin,
Just so you know the way the forum works is that if there is no reply by you in 4 days than the thread is archived.
Lets start from the beginning and post a RSIT log please. Make sure your connected to the internet when you download and run this program
Random System Information Tool
- Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
-
Due to inactivity, this thread will now be closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules