WIN32.TDSS.rtk Infection

Hi all

I recently ran Ad-aware and Spybot scans on my PC as I suspected I had probably picked up something nasty. Spybot reported 80 problems, 79 of which it managed to fix. However, it reported that a Trojan WIN32.TDSS.rtk was also present but Spybot was unable to remove it.

From what I have read, this is a particularly difficult infection to eradicate, and I would very much appreciate any help that you are able to give in dealing with it.

Problems that are manifesting themselves at present are that Firefox has been completely disabled and Internet Explorer is unable to fully access some of the websites that I normally visit. In addition when the mouse is hovered over any text in Internet Explorer, the writing that appears is in Chinese. With many of the toolbar buttons in Internet Explorer, the descriptive text is in Chinese.

I had downloaded "ComboFix" but have not yet used it, as per your advice.

For your information, my OS is Windows XP Media Center Edition, Version 2002, Service Pack 2.

I would be grateful for any assistance that you may be able to offer

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Hi Rigel

Many thanks for the reply. I have downloaded RootRepeal and done a scan. I have also copied and pasted the report below, having named it RootRepeal.txt, as instructed.

After you have had a chance to inspect the report, I will be grateful to hear further from you.



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/20 15:21
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\slserv.exe
PID: 156 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 208 Status: -

Path: C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PID: 264 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 532 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 632 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 688 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 720 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 764 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 776 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe
PID: 956 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 972 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1032 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1128 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1292 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1324 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PID: 1384 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1580 Status: -

Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
PID: 1624 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1788 Status: -

Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
PID: 1836 Status: -

Path: C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PID: 1848 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1860 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1892 Status: -

Path: C:\WINDOWS\ehome\ehRecvr.exe
PID: 1960 Status: -

Path: C:\WINDOWS\ehome\ehSched.exe
PID: 1976 Status: -

Path: C:\Program Files\Kontiki\KService.exe
PID: 2008 Status: -

Path: C:\WINDOWS\system32\dllhost.exe
PID: 2128 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2172 Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2324 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe
PID: 2988 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 3004 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 3120 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 3140 Status: -

Path: C:\WINDOWS\ehome\ehtray.exe
PID: 3628 Status: -

Path: C:\WINDOWS\RTHDCPL.EXE
PID: 3644 Status: -

Path: C:\WINDOWS\ehome\ehmsas.exe
PID: 3696 Status: -

Path: D:\Documents and Settings\GRAHAM lovell\Desktop\RootRepeal\RootRepeal.exe
PID: 3728 Status: -

Path: C:\Program Files\Messenger\msmsgs.exe
PID: 3756 Status: -

Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3772 Status: -

Path: C:\Program Files\QuickTime\QTTask.exe
PID: 3784 Status: -

Path: C:\Program Files\Kontiki\KHost.exe
PID: 3816 Status: -

Path: C:\Program Files\DNA\btdna.exe
PID: 3848 Status: -

Path: C:\Program Files\Outlook Express\msimn.exe
PID: 3860 Status: -

Path: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PID: 3928 Status: -

Path: C:\Program Files\Steam\Steam.exe
PID: 3960 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 3976 Status: -

Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 3992 Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 4004 Status: -

Can you post the list of FIles and Drivers that it is picking up. The processes help, but I am really looking for the files. Thanks!

Hi Rigel

Thanks for your reply.

Sorry about the incomplete information last time. This was caused by me inadvertently clicking the Processes tab rather than the Report tab.

I have appended below the contents of the 'Report' tab log. However, to my untrained eye there does not seem to be much information in this, even though I made sure that I checked all the items that you asked me to. So I took the liberty of performing an individual scan for each of the tabs in RootRepeal, and have named the log files individually, and saved them to my Desktop I have copied and pasted their results below. However, RootRepeal was unable to produce a log file fo a scan on the 'Files' tab, as RootRepeal kept crashing part-way through the scan. Itried four times, but it crashed on each occasion. I have appended below the crash report logs for these crashes, in case they are of any use to you.



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/21 12:21
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA989000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBB000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7691000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7c8bd8c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7c8bd78

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7c8bd7d

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7c8bd87

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf7c8bd82




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/21 11:25
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7c8bd8c

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7c8bd78

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7c8bd7d

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7c8bd87

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf7c8bd82

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/21 11:26
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Stealth Objects
-------------------




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/21 11:27
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Hidden Services
-------------------





ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/21 11:21
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF775B000 Size: 53248 File Visible: -
Status: -

Name: 3xHybrid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
Address: 0xF6B9C000 Size: 799744 File Visible: -
Status: -

Name: ABP480N5.SYS
Image Path: ABP480N5.SYS
Address: 0xF7923000 Size: 23552 File Visible: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF752C000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: adpu160m.sys
Image Path: adpu160m.sys
Address: 0xF748D000 Size: 101888 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAAA85000 Size: 138368 File Visible: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF778B000 Size: 42368 File Visible: -
Status: -

Name: agpCPQ.sys
Image Path: agpCPQ.sys
Address: 0xF779B000 Size: 44928 File Visible: -
Status: -

Name: aha154x.sys
Image Path: aha154x.sys
Address: 0xF7A73000 Size: 12800 File Visible: -
Status: -

Name: aic78u2.sys
Image Path: aic78u2.sys
Address: 0xF76BB000 Size: 55168 File Visible: -
Status: -

Name: aic78xx.sys
Image Path: aic78xx.sys
Address: 0xF768B000 Size: 56960 File Visible: -
Status: -

Name: aliide.sys
Image Path: aliide.sys
Address: 0xF7B5F000 Size: 5248 File Visible: -
Status: -

Name: alim1541.sys
Image Path: alim1541.sys
Address: 0xF776B000 Size: 42752 File Visible: -
Status: -

Name: amdagp.sys
Image Path: amdagp.sys
Address: 0xF777B000 Size: 43008 File Visible: -
Status: -

Name: amsint.sys
Image Path: amsint.sys
Address: 0xF7A7F000 Size: 12032 File Visible: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF78BB000 Size: 60800 File Visible: -
Status: -

Name: asc.sys
Image Path: asc.sys
Address: 0xF78F3000 Size: 26496 File Visible: -
Status: -

Name: asc3350p.sys
Image Path: asc3350p.sys
Address: 0xF792B000 Size: 22400 File Visible: -
Status: -

Name: asc3550.sys
Image Path: asc3550.sys
Address: 0xF7A83000 Size: 14848 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF74A6000 Size: 95360 File Visible: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA0C000 Size: 212992 File Visible: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000 Size: 225280 File Visible: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF6D2E000 Size: 1331200 File Visible: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA75000 Size: 2367488 File Visible: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA40000 Size: 217088 File Visible: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCB7000 Size: 643072 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7D33000 Size: 3072 File Visible: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Address: 0xF7BA3000 Size: 6144 File Visible: -
Status: -

Name: avgntflt.sys
Image Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Address: 0xA853D000 Size: 81920 File Visible: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xAA9DA000 Size: 69632 File Visible: -
Status: -

Name: BdaSup.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BdaSup.SYS
Address: 0xF7B37000 Size: 12288 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7B97000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7A6B000 Size: 12288 File Visible: -
Status: -

Name: cbidf2k.sys
Image Path: cbidf2k.sys
Address: 0xF7A8B000 Size: 13952 File Visible: -
Status: -

Name: cd20xrnt.sys
Image Path: cd20xrnt.sys
Address: 0xF7B6B000 Size: 7680 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF77DB000 Size: 49536 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF771B000 Size: 53248 File Visible: -
Status: -

Name: cmdide.sys
Image Path: cmdide.sys
Address: 0xF7B61000 Size: 6656 File Visible: -
Status: -

Name: cpqarray.sys
Image Path: cpqarray.sys
Address: 0xF7A6F000 Size: 14976 File Visible: -
Status: -

Name: dac2w2k.sys
Image Path: dac2w2k.sys
Address: 0xF7461000 Size: 179584 File Visible: -
Status: -

Name: dac960nt.sys
Image Path: dac960nt.sys
Address: 0xF7A7B000 Size: 14720 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF770B000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF74D6000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7B69000 Size: 5888 File Visible: -
Status: -

Name: dpti2o.sys
Image Path: dpti2o.sys
Address: 0xF7933000 Size: 20192 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF6ED3000 Size: 61440 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA989000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBB000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAAFE0000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7CF4000 Size: 4096 File Visible: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF6B52000 Size: 157696 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF78CB000 Size: 34944 File Visible: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7441000 Size: 128896 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B95000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74FC000 Size: 125056 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF77FB000 Size: 40960 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000 Size: 134400 File Visible: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF6CF5000 Size: 151552 File Visible: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF724E000 Size: 36864 File Visible: -
Status: -

Name: hidir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidir.sys
Address: 0xF7A23000 Size: 17024 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF79CB000 Size: 28672 File Visible: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF6ACD000 Size: 9600 File Visible: -
Status: -

Name: hpn.sys
Image Path: hpn.sys
Address: 0xF7943000 Size: 25952 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA78DB000 Size: 262784 File Visible: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF7B93000 Size: 8192 File Visible: -
Status: -

Name: i2omp.sys
Image Path: i2omp.sys
Address: 0xF7903000 Size: 18560 File Visible: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xF726E000 Size: 872064 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF77CB000 Size: 41856 File Visible: -
Status: -

Name: ini910u.sys
Image Path: ini910u.sys
Address: 0xF7A87000 Size: 16000 File Visible: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7B67000 Size: 5504 File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF71DE000 Size: 36096 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAAAA7000 Size: 134912 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAAB48000 Size: 74752 File Visible: -
Status: -

Name: IrBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IrBus.sys
Address: 0xF6E93000 Size: 46208 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF765B000 Size: 35840 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF799B000 Size: 24576 File Visible: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF6AC1000 Size: 14848 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7B5B000 Size: 8192 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6B79000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7418000 Size: 92032 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7B9B000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7A63000 Size: 30080 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF79A3000 Size: 23040 File Visible: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF6ABD000 Size: 12160 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF766B000 Size: 42240 File Visible: -
Status: -

Name: mraid35x.sys
Image Path: mraid35x.sys
Address: 0xF78FB000 Size: 17280 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA84C1000 Size: 179584 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAA9EB000 Size: 453632 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF79EB000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF784B000 Size: 35072 File Visible: -
Status: -

Name: MSPQM.sys
Image Path: C:\WINDOWS\system32\drivers\MSPQM.sys
Address: 0xF7B79000 Size: 4992 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF719E000 Size: 15488 File Visible: -
Status: -

Name: Mtlmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
Address: 0xF6C60000 Size: 121216 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7343000 Size: 107904 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF735E000 Size: 182912 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7B43000 Size: 9600 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA8835000 Size: 12928 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6B27000 Size: 91776 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF6EE3000 Size: 38016 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF788B000 Size: 34560 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAAAC8000 Size: 162816 File Visible: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF781B000 Size: 61824 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF79FB000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF738B000 Size: 574464 File Visible: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7D32000 Size: 2944 File Visible: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF774B000 Size: 61056 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF6B3E000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF78E3000 Size: 18688 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF751B000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7C23000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF78DB000 Size: 28672 File Visible: -
Status: -

Name: perc2.sys
Image Path: perc2.sys
Address: 0xF793B000 Size: 27296 File Visible: -
Status: -

Name: perc2hib.sys
Image Path: perc2hib.sys
Address: 0xF7B6D000 Size: 5504 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xAAC93000 Size: 139264 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6B16000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF7983000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF794B000 Size: 19936 File Visible: -
Status: -

Name: ql1080.sys
Image Path: ql1080.sys
Address: 0xF76DB000 Size: 40320 File Visible: -
Status: -

Name: ql10wnt.sys
Image Path: ql10wnt.sys
Address: 0xF769B000 Size: 33152 File Visible: -
Status: -

Name: ql12160.sys
Image Path: ql12160.sys
Address: 0xF76FB000 Size: 45312 File Visible: -
Status: -

Name: ql1240.sys
Image Path: ql1240.sys
Address: 0xF76AB000 Size: 40448 File Visible: -
Status: -

Name: ql1280.sys
Image Path: ql1280.sys
Address: 0xF76EB000 Size: 49024 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7B17000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF780B000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF782B000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF783B000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF798B000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAAA5A000 Size: 174592 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B9F000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF6AE5000 Size: 196864 File Visible: -
Status: -

Name: RDPWD.SYS
Image Path: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Address: 0xA7C69000 Size: 139392 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF77EB000 Size: 57472 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8919000 Size: 45056 File Visible: No
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xAACB5000 Size: 3289088 File Visible: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF74BE000 Size: 98304 File Visible: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xA8791000 Size: 40960 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF7B3B000 Size: 15488 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF71CE000 Size: 64896 File Visible: -
Status: -

Name: sisagp.sys
Image Path: sisagp.sys
Address: 0xF772B000 Size: 41088 File Visible: -
Status: -

Name: slntamr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\slntamr.sys
Address: 0xF6C7E000 Size: 343872 File Visible: -
Status: -

Name: SlWdmSup.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
Address: 0xF7A5B000 Size: 16960 File Visible: -
Status: -

Name: sparrow.sys
Image Path: sparrow.sys
Address: 0xF78EB000 Size: 19072 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF742F000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA812C000 Size: 333184 File Visible: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF7A03000 Size: 22656 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7B89000 Size: 4352 File Visible: -
Status: -

Name: sym_hi.sys
Image Path: sym_hi.sys
Address: 0xF7913000 Size: 28384 File Visible: -
Status: -

Name: sym_u3.sys
Image Path: sym_u3.sys
Address: 0xF791B000 Size: 30688 File Visible: -
Status: -

Name: symc810.sys
Image Path: symc810.sys
Address: 0xF7A77000 Size: 16256 File Visible: -
Status: -

Name: symc8xx.sys
Image Path: symc8xx.sys
Address: 0xF790B000 Size: 32640 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA8439000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAAAF0000 Size: 360320 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF795B000 Size: 20480 File Visible: -
Status: -

Name: TDTCP.SYS
Image Path: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Address: 0xF7A1B000 Size: 21760 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF785B000 Size: 40704 File Visible: -
Status: -

Name: toside.sys
Image Path: toside.sys
Address: 0xF7B63000 Size: 4992 File Visible: -
Status: -

Name: Udfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS
Address: 0xAA9A1000 Size: 66176 File Visible: -
Status: -

Name: ultra.sys
Image Path: ultra.sys
Address: 0xF76CB000 Size: 36736 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6A23000 Size: 364160 File Visible: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF79F3000 Size: 31616 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7B8D000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7A53000 Size: 26624 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF6EA3000 Size: 57600 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6CD2000 Size: 143360 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF7A4B000 Size: 20480 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF79D3000 Size: 20992 File Visible: -
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xF773B000 Size: 42240 File Visible: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF7B65000 Size: 5376 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6D1A000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF767B000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF789B000 Size: 34560 File Visible: -
Status: -

Name: wanatw4.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanatw4.sys
Address: 0xF7993000 Size: 20512 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7A33000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA7FFF000 Size: 82944 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7B5D000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -





ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00bd0004




ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00b5f004




ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00b5f004



ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00b5f004

That is what I needed

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and unheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• Please be patient as this scan could take a long time to complete.
• When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
• Click Select All, then choose Cure > Move incurable.
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Hi again

Many thanks for your latest reply.

I have downloaded Dr Web-CureIt, as instructed. However I have now hit a major stumbling block, in that I cannot boot into Safe Mode. Neither tapping the F8 key nor holding it down help at all. A boot menu appears, however, there are only two options listed, and these are to either boot from the hard disk or from the CD

Hi again

Many thanks for your latest reply.

I have downloaded Dr Web-CureIt, as instructed. However I have now hit a major stumbling block, in that I cannot boot into Safe Mode. Neither tapping the F8 key nor holding it down helps at all. A boot menu appears, however, there are only two options listed, and these are to either boot from the hard disk or from the CD-Rom. Safe Mode is not included in the options.

I clicked on the link to information on Safe Mode that you provided in your last post, and this mentions that the Windows Advanced Options Menu should appear and that Safe Mode will be one of the options, however, the WAOM does not appear.

I understand that it is a serious matter if a computer cannot be booted into safe mode, but it occurred to me that as Safe Mode is not even listed, it may be a problem with the computers configeration. I therefore booted into Windows and ran msconfig. On the Boot INI tab there was a Boot Options section. The first option in this is "SAFEBOOT". The box next to "SAFEBOOT" was not checked. I am wondering whether checking this box would then result in Safe Mode being available as an option when the computer is next re-booted.

I would be glad to hear from you with your thoughts on the matter.

No... Please don't force a safe mode boot. It can cause more problems.

Let's use an alternate scan.

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

• You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
• Now click Start.
• You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
• A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
• Answer Yes to install and download the ActiveX controls that allows the scan to run.
• Click Start. (the Onlinescanner will now prepare itself for running on your pc)
• To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
• Press Scan to start the online scan. (this could take some time to complete)[/color]
• When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
• Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
• The scan results will open in Notepad.
• Copy and paste the log results in your next reply.

Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.

Hi

I ran the Eset OnlineScan, and have copied and pasted the log results below.

When the scan finished, the screen did not show the two tabs that you mentioned. Instead, it gave a summary of the results of the scan, i.e. 8 threats found, and that the threats had been cleaned. I was given two options: (a) to uninstall the program and ( to delete quarantined files. As you had given no instructions on those issues, I did not uninstall the program and I did not delete the quarantined files.

Incidentally, while the Eset scan was running, my anti-virus program, Avira, popped up nearly 20 separate dialog boxes advising that it had found several trojans and a few other 'exploits'. I hadn't even realised that Avira was performing a scan! I wrote down the names of the trojans and their locations on my PC, and I'll copy and paste them into my next reply, if you think they'll be of any use to you.



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16827 (vista_gdr.090226-1506)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=e097ad751628584582b921cc819e92f0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-24 07:08:58
# local_time=2009-05-24 08:08:58 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1793 21 100 100 876605091466
# scanned=91977
# found=8
# cleaned=8
# scan_time=4920
C:\WINDOWS\adghkj.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\dcffgh.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\stuvyb.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\xbbbeg.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\etc\hosts.20090514-123251.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
D:\Documents and Settings\GRAHAM lovell\Desktop\ChessSetup-dm.exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000
D:\Documents and Settings\GRAHAM lovell\Local Settings\Temp\Acr86.tmp PDF/Exploit.Pidief.OJS.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

I have seen other AV programs start flagging files as an outside scan was run. Is safe mode accessible now?

Hi again

Unfortunately I still can't access safe mode

Hi Rigel

I was just wondering if you had any more suggestions I could try, or whether you think my only viable option is to reformat the hard drive.

My apologies for the delayed response. I seem to have lost you in the stack.

Let's visit SDFix...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Thanks for your reply Rigel.

I have downloaded SDFix, and read the instructions that you refer to. It seems that this programme has to be run in safe mode and, at present, I cannot access this. However, one of the links lead to instructions on how to restore safe mode via the Run feature. Should I attempt this now?