Jump to content

JeffR

Members
  • Posts

    2
  • Joined

  • Last visited

Everything posted by JeffR

  1. I went into the RootRepeal, Hidden Services tab, scanned to display these three processes. When I right click on and select 'wipe file', I get a confirmation message, select 'Yes' and get a message "RootRepeal Error - Could not find the file on disk". Hmmm. FWIW I also tried to 'Force Delete' these and got the same message. Thx so much for your help!
  2. I followed the instructions in previous threads and have downloaded process explorer and RootRepeal. I wiped a couple of processes that looked to be random name generations, but I want to be sure I've wiped the correct files. Here's the report generated from RootRepeal. Any help is appreciated. Thanks! ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/26 08:24 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF522F000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7AB3000 Size: 8192 File Visible: No Signed: - Status: - Name: PROCEXP113.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Address: 0xF7A8F000 Size: 7872 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF24F2000 Size: 49152 File Visible: No Signed: - Status: - Stealth Objects ------------------- Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE] Process: System Address: 0x86ce9948 Size: 635 Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x86c1a698 Size: 2408 Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE] Process: System Address: 0x86c43e68 Size: 394 Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ] Process: System Address: 0x86c2f430 Size: 579 Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE] Process: System Address: 0x86c33430 Size: 223 Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x86cd24f8 Size: 105 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION] Process: System Address: 0x86e00ad8 Size: 1321 Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA] Process: System Address: 0x86e1e568 Size: 337 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA] Process: System Address: 0x86d21cd0 Size: 816 Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86cb7e68 Size: 409 Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x86c27430 Size: 948 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x86c2f880 Size: 186 Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x86d0ee68 Size: 409 Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x86cdf338 Size: 3272 Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86d0f338 Size: 470 Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86c32338 Size: 355 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN] Process: System Address: 0x86c30bd8 Size: 195 Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x86cd2bd8 Size: 358 Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP] Process: System Address: 0x86c071c0 Size: 3381 Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x86daa120 Size: 371 Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x86da91c0 Size: 1139 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY] Process: System Address: 0x86da7120 Size: 2975 Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER] Process: System Address: 0x86da51c0 Size: 142 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86e781c0 Size: 3195 Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x86e411c0 Size: 851 Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x86e3e120 Size: 883 Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA] Process: System Address: 0x86c001c0 Size: 747 Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP] Process: System Address: 0x86bf9120 Size: 2558 Hidden Services ------------------- Service Name: kbiwkmbuygkmav Image Path: C:\WINDOWS\system32\drivers\kbiwkmrnggoqtc.sys Service Name: kbiwkmkgqideag Image Path: C:\WINDOWS\system32\drivers\kbiwkmqhnfwnvn.sys Service Name: TDSSserv.sys) Image Path: C:\WINDOWS\system32\drivers\TDSSmaxt.sys Shadow SSDT ------------------- #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "<unknown>" at address 0x86d8e1e8 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "<unknown>" at address 0x86e19538 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "<unknown>" at address 0x86c7e500 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "<unknown>" at address 0x86ca7628 #: 460 Function Name: NtUserMessageCall Status: Hooked by "<unknown>" at address 0x86bb81f8 #: 475 Function Name: NtUserPostMessage Status: Hooked by "<unknown>" at address 0x86d1cc18 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "<unknown>" at address 0x86c9bf30 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "<unknown>" at address 0x86ccb020 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "<unknown>" at address 0x86c28a10 ==EOF==
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.