Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After trojans attack,PLEASE help


  • Please log in to reply
21 replies to this topic

#1 Gordana

Gordana

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 17 July 2009 - 04:57 PM

Hello!

Please,help me ! I am desperate!

Before i will post my problems,I need a help to get my desktop back. I just run combofix on my laptop (which is freezing a lot ),about 20 min ago , got report (notepad) which i minimized to see if my laptop is in previous state - notepad disappeared and my screen is still blank (blue).

Should I shut it down and restart! (Or just throw it through the window!!!)



Please,please - HELP!

Regards,Gordana

windows XP,IE 6
Some of trojans detected by avast,the last one has been win 32 Trojan Generic 13/7/2009

Posted Image

Am I still infected or...?

Edited by Gordana, 17 July 2009 - 06:42 PM.


BC AdBot (Login to Remove)

 


#2 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 17 July 2009 - 05:39 PM

About month ago,AVG free detected win32 virus Agent,

About 2 weeks ago,laptop got infected with Fraud Sysguard trojan . Has been pretty nasty,AVG didn't registered it,I downloaded spybot s&d ,than ad aware se and avast anty virus . I got infected few times,till the owner of the site didn't get ride of it .All in all there has been about 15 trojans,worms,spyware and some high jack* stuff .

I still used to get pop up messages ,windows 32,,,and something ... run into problem and will close down (something like that),and others...

Than I updated my windows into SP3 ,also Java ,but than after 2 days ,my laptop become extremely slow (it took 45 min to be 'ready' for work after start,I had to wait 10 min to open anything...

and stupid me,I uninstalated SP3,even worse ,I started to delete latest updates which,I thought goes with SP3- total mess . I manage to restore it ,now I got all as it used to be (hopefully,now i got problems with uninstal wizard)- even the fact I can't use it at all (or hardly) .

Now,I cant send log ,because I mess again ,or my laptop got frozen,it's still blue!

I am really desperate (and ,please,don't laugh on my stupid mistakes ! :thumbsup: ) My English is not perfect,my apology,but hope you got the picture of my problems.

Hope someone can help me ! Thank you very much!

Regards,Gordana

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:19 AM

Posted 17 July 2009 - 06:59 PM

Ok,hello and welcome..... This is pretty messed up.. we can clean or format.. You cannot access your PC ... It is stuck at a Blue Screen?

Reformatting

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the When should I re-format? How should I reinstall? links and Where to draw the line? When to recommend a format and reinstall?.
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Reinstall Windows Vista
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 17 July 2009 - 07:17 PM

Thank you for your quick reply!I know its my bad English- I got blue screen after combofix,I shut it down ''on a hard way'',and I can use it now.(Scan has been done successfully and I got the log)


If you think it would be the best to reformate it,I will try do do that,but is there a way to fix it without that?

Thank you very much again!

Edited by Gordana, 17 July 2009 - 07:24 PM.


#5 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 PM

Posted 17 July 2009 - 07:31 PM

You probably can clean it up quite a bit but the fact that you have rootkit infections on it means that even if you do clean it up, you won't be able to be sure that it is really clean and trustworthy.

If you choose not to reformat it, please do not do any online banking or credit card transactions on that computer as there is no guarantee that there is not still a trace of the rootkit on it that could transmit your personal information to someone else

Edited by Stang777, 17 July 2009 - 07:32 PM.


#6 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 17 July 2009 - 08:00 PM

Thank you very much for that info, Stang777!!!!!

After combofix scan,my laptop seems to work much faster ,but how long? I am pretty sure there is something more,I got 2 shortcuts for IE on desktop now,and when I am trying to open my mail ,I am getting pop up window I am leaving safe internet connection (didn't have that before) and although I click Yes,it pop up back few times; getting unknown links on the top of the browser, I am logging into my mail box before the right one )

(spybot,ad aware and avast didn't found anything last few days)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:19 AM

Posted 17 July 2009 - 08:08 PM

I would like to try one scan..
Next try to run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 17 July 2009 - 08:12 PM

I will do that,but going on trip in a few hours,Please,come back to me after I'll do that and reply!

Thanks a lot!!!

#9 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 PM

Posted 17 July 2009 - 08:14 PM

Thank you very much for that info, Stang777!!!!!


You are very welcome :thumbsup:

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:19 AM

Posted 17 July 2009 - 08:47 PM

When you come back run the Malwarebytes in the above post ,then we'll know your available for help.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 18 July 2009 - 04:34 PM

Done ! (Note,there has not been 'all drives selection ' possibility,just Quick or Full scan )

Malwarebytes' Anti-Malware 1.39
Database version: 2461
Windows 5.1.2600 Service Pack 3
18/07/2009 20:14:59
mbam-log-2009-07-18 (20-14-59).txt
Scan type: Quick Scan
Objects scanned: 80135
Time elapsed: 8 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.


From combofix log :

c:\windows\system32\proquota.exe . . . is missing!!

(Note: Month ago AVG free has detected virus Agent in c/windows/system/32/Isass.exe [Result: object is white- listed (critical) system file that should not be removed ) Type: file ; Process C/windows/system32/svchost.exe ; Process ID 892] File has been removed into virus Vault,but I uninstall AVG free after multiple infection with trojans.


Some task are still slow,especially in start, and it takes from 1 to 5 min to open programs such MBAM,spybot,avast ,but there is no terrible frizzing as before.

Also ,I can't uninstall Java ( I got J2SE Runtime Environment 5.0 update 14 ; Java ™ 6 update 7 ; Java ™ 6 update 13) now.
When I want to uninstall old one ,I got pop up window ,my free translation into English,
''Access to Windows Installer is not possible. It could be due program Windows is running in safe mode [should not be the case,I think] or Windows Installer is not configured correctly ...''

Could it be result of my messing with installing than uninstalling SP 3 ,deleting latest windows updates one by one till I didn't realize I was killing it ,I restore it,but did I lost some file ? Although I am running out of free space on disc C (just 1,44 GB from 7,81 GB ) , laptop started not to respond 2 days after I upgraded to SP3,not right away .




Question :Root kits has been in temporary internet files , which has been deleted asap. Is there a high risk still?


Looking forward for your next advice !

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:19 AM

Posted 19 July 2009 - 01:02 PM

Hello, the Full scan option is for scanning all drives..

Rootkits are always dangerous as I mentioned above. Let's see what rootrepeal says.
Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 19 July 2009 - 01:52 PM

Hi!
I am not sure if I did that right. I had to download zz7,but I do not know how to open RR with it ! Eeek!

I think I clicked Extract to Root Repeal,scan was fast...and if this is what I got:



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/19 20:40
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xFA24C000 Size: 19072 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF9E5D000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2188928 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xFA2C8000 Size: 11648 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF6867000 Size: 138368 File Visible: - Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xFA294000 Size: 32768 File Visible: - Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xF63CD000 Size: 87296 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xF5FEE000 Size: 15136 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xF6763000 Size: 135168 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF9F3C000 Size: 41664 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF9DEF000 Size: 95360 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xFA4CC000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\BATTC.SYS
Address: 0xFA2C4000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xFA3CE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xFA2BC000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF9FEC000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xFA06C000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF9EEC000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\CmBatt.sys
Address: 0xFA380000 Size: 14080 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xFA2C0000 Size: 9344 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF9EDC000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF9E07000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xFA3B0000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xFA08C000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF674B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFA3F0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF99F4000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xFA5C4000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xFA1BC000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF9F7C000 Size: 34944 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xFA20C000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF9DD0000 Size: 124800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xFA3CC000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF9E2D000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xFA1CC000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 81280 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Address: 0xF9F9C000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xFA234000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xF9B1C000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF5B31000 Size: 263040 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xFA05C000 Size: 52736 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xFA04C000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF67AC000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF6909000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF9EAC000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xFA1B4000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xFA3AC000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF5488000 Size: 171776 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF9BB2000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF9DA7000 Size: 92032 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF9EFC000 Size: 57472 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xFA3D0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xFA1D4000 Size: 30080 File Visible: - Signed: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF9C8A000 Size: 16128 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xFA1AC000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF9B18000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF9EBC000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF6016000 Size: 181248 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF67CD000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xFA224000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xFA0CC000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xFA39C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mtlmnt5.sys
Image Path: C:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys
Address: 0xF9B30000 Size: 126656 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF9CD2000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF9CED000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xFA384000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF65FB000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF9AA2000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xFA0EC000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF9F4C000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF6889000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xFA22C000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF9D1A000 Size: 574592 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2188928 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xFA5A3000 Size: 2944 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
Address: 0xFA475000 Size: 4096 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF9BF8000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xFA134000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xFA3EE000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF9E4C000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xFA474000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xFA12C000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2188928 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF9AB9000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF9A91000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xFA1EC000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xFA350000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xFA09C000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xFA0AC000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xFA0BC000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xFA1F4000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2188928 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF683C000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xFA3D2000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF9A60000 Size: 196864 File Visible: - Signed: -
Status: -

Name: RecAgent.sys
Image Path: RecAgent.sys
Address: 0xFA2CC000 Size: 13696 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xFA07C000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF5662000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sis7012.sys
Image Path: C:\WINDOWS\system32\drivers\sis7012.sys
Address: 0xF9ADD000 Size: 174848 File Visible: - Signed: -
Status: -

Name: SISAGPX.sys
Image Path: SISAGPX.sys
Address: 0xFA13C000 Size: 30720 File Visible: - Signed: -
Status: -

Name: sisgrp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\sisgrp.sys
Address: 0xF9C20000 Size: 432384 File Visible: - Signed: -
Status: -

Name: SiSGRV.dll
Image Path: C:\WINDOWS\System32\SiSGRV.dll
Address: 0xBF9D5000 Size: 1081344 File Visible: - Signed: -
Status: -

Name: sisnic.sys
Image Path: C:\WINDOWS\System32\DRIVERS\sisnic.sys
Address: 0xFA1DC000 Size: 32768 File Visible: - Signed: -
Status: -

Name: slntamr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\slntamr.sys
Address: 0xF9B4F000 Size: 404960 File Visible: - Signed: -
Status: -

Name: SlWdmSup.sys
Image Path: C:\WINDOWS\System32\DRIVERS\SlWdmSup.sys
Address: 0xFA360000 Size: 13152 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF9DBE000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF5E6C000 Size: 333184 File Visible: - Signed: -
Status: -

Name: srvkp.sys
Image Path: C:\WINDOWS\system32\drivers\srvkp.sys
Address: 0xFA358000 Size: 11264 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xFA3C2000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF6473000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF68B1000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xFA1E4000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xFA0DC000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xF5FAE000 Size: 97280 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF9A2C000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xFA3C8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF9F2C000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xFA1C4000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF9BD5000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xFA21C000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF9C0C000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF9ECC000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF9F8C000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xFA27C000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF6188000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xFA3AE000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2188928 File Visible: - Signed: -
Status: -

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:19 AM

Posted 19 July 2009 - 02:47 PM

Were all the tabs selected?
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Rerun RootRepeal
Click Settings - Options
Set the Disk Access Level slider in the general tab to High

Try scanning now with the settings as described above.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Gordana

Gordana
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Slovenia
  • Local time:07:19 AM

Posted 19 July 2009 - 03:05 PM

My problem has been how to OPEN RR at all & select all tabs (doubleclick???,bc I clicked on each....)
Posted Image


Nwm, I scanned one by one)

Files

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/19 21:43
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\gordanapapac5@msn.com\SharingMetadata\another1chance@yahoo.co.uk\DFSR\Staging\CS{474D8DF2-8313-DD43-5423-95A6F4676591}\01\12-{474D8DF2-8313-DD43-5423-95A6F4676591}-v1-{E960D69C-EA51-4065-AD3E-C0C2B80E3E59}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\gordanapapac5@msn.com\SharingMetadata\sportycat1212@hotmail.com\DFSR\Staging\CS{5A64D2D3-5949-20DE-C87A-68D05E8FAB0B}\01\11-{5A64D2D3-5949-20DE-C87A-68D05E8FAB0B}-v1-{E960D69C-EA51-4065-AD3E-C0C2B80E3E59}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\ripperbb2@volja.net\SharingMetadata\aerithfreak@hotmail.com\DFSR\Staging\CS{86018391-7FC9-F539-7636-932A11B64D6D}\01\11-{86018391-7FC9-F539-7636-932A11B64D6D}-v1-{48442B4A-D2D5-42BB-8EA4-0A8E1B59A0B0}-v11-Downloaded.frx
Status: Locked to the Windows API!

Process

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/19 21:44
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Processes-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 224 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 444 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 500 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 524 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 568 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 580 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 740 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 836 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 920 Status: -

Path: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PID: 1020 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1052 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1176 Status: -

Path: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PID: 1232 Status: -

Path: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 1268 Status: -

Path: C:\Program Files\Alwil Software\Avast4\ashServ.exe
PID: 1320 Status: -

Path: C:\Program Files\QuickTime\qttask.exe
PID: 1336 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1600 Status: -

Path: C:\WINDOWS\system32\wscntfy.exe
PID: 1616 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1776 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1832 Status: -

Path: C:\WINDOWS\system32\khooker.exe
PID: 1844 Status: -

Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 1872 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1916 Status: -

Path: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
PID: 2040 Status: -

Path: C:\Program Files\MSN Messenger\msnmsgr.exe
PID: 2140 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 2156 Status: -

Path: C:\Documents and Settings\Administrator\Desktop\RootRepeal\RootRepeal.exe
PID: 2252 Status: -

Path: C:\Program Files\Messenger\msmsgs.exe
PID: 2292 Status: -

Path: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PID: 2392 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2568 Status: -

Path: C:\Program Files\MSN Messenger\usnsvc.exe
PID: 3472 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3672 Status: -

SSDT

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/19 21:44
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b6b8


#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b574


#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676ba52


#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b14c


#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b64e


#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b08c

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b0f0


#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b76e


#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b72e


#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf676b8ae


#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked

When I scaned Stealt Objects and Hidden Services -got nothing at all as result !

PS. Ooops !

Hope this is it!

Edited by Gordana, 19 July 2009 - 03:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users