to KEN545: RootRepeal.txt: continu: Somthing is still going on...

[vitin]

I repeat my answer in this thread. This because my post dd 13/06/2010 missed an answer.

Previous answer in thread: Somthing is still going on...
http://forums.spybot.info/showthread.php?t=57596

You are correct: this scanner is not as hard on me as GMER.


RootRepeal.txt log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/13 07:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB62DE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP1136
Image Path: \Driver\PCI_PNP1136
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB22A5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spry.sys
Image Path: spry.sys
Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: XDva349.sys
Image Path: C:\WINDOWS\system32\XDva349.sys
Address: 0xB3AC2000 Size: 65920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7d553e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7d5534

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7d5543

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7d554d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spry.sys" at address 0xb9ecdda4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spry.sys" at address 0xb9ece132

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7d5552

#: 119 Function Name: NtOpenKey
Status: Hooked by "spry.sys" at address 0xb9eb50c0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7d5525

#: 160 Function Name: NtQueryKey
Status: Hooked by "spry.sys" at address 0xb9ece20a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spry.sys" at address 0xb9ece08a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7d555c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7d5557

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7d5548

==EOF==

[ken545]

Hello Vitin,

Just so you know the way the forum works is that if there is no reply by you in 4 days than the thread is archived.

Lets start from the beginning and post a RSIT log please. Make sure your connected to the internet when you download and run this program

Random System Information Tool

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

[ken545]

Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.