Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed - rootrepeal report
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

rootrepeal report

 Post Reply Post Reply
Author
Message
Jessekristjan View Drop Down
Newbie
Newbie


Joined: 30 January 2010
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote Jessekristjan Quote  Post ReplyReply Direct Link To This Post Topic: rootrepeal report
    Posted: 30 January 2010 at 1:08am
Hello,

I recently downloaded a virus on my computer. ooops. I am infected with a backdoor.tidserv!gen2 virus.

I have done a rootrepeal scan (if it is even related to the tidserv please let me know)

Any feedback on this report and what to do would be greatly appreciated.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:        2010/01/29 20:02
Program Version:        Version 1.3.5.0
Windows Version:        Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8F5C9000    Size: 32768    File Visible: No    Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F5BE000    Size: 45056    File Visible: No    Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA65C4000    Size: 49152    File Visible: No    Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4    Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1156    Status: Locked to the Windows API!

SSDT
-------------------
#: 013    Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x870a45e8

#: 014    Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x87018110

#: 018    Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x87bd6850

#: 021    Function Name: NtAlpcConnectPort
Status: Hooked by "<unknown>" at address 0x86fd7868

#: 042    Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8712df10

#: 067    Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x87130a18

#: 077    Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x87180378

#: 078    Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8702d068

#: 116    Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8712e108

#: 129    Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x87be3998

#: 147    Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x87be2c38

#: 156    Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x870bc110

#: 158    Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8706d118

#: 165    Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86fd77f0

#: 177    Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x87be2b98

#: 184    Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x87037518

#: 194    Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x87be76e8

#: 195    Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86ff4918

#: 197    Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x87038820

#: 201    Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x87bd8908

#: 210    Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x87181c90

#: 282    Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x875e8fd0

#: 289    Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8797a4d0

#: 305    Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x87be4910

#: 317    Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x87bd5118

#: 330    Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x87132880

#: 331    Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x873e2d78

#: 334    Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x872de1e8

#: 335    Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x870a48c0

#: 348    Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x875663f8

#: 358    Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x87be4468

#: 382    Function Name: NtCreateThreadEx
Status: Hooked by "<unknown>" at address 0x87130c90

Stealth Objects
-------------------
Object: Hidden Module [Name: msgsres.dll]
Process: msnmsgr.exe (PID: 1748)    Address: 0x698f0000    Size: 11403264

Object: Hidden Module [Name: msgslang.14.0.8089.0726.dll]
Process: msnmsgr.exe (PID: 1748)    Address: 0x6c300000    Size: 315392

Object: Hidden Module [Name: msgrvsta.thm]
Process: msnmsgr.exe (PID: 1748)    Address: 0x6c9f0000    Size: 20480

Object: Hidden Handle [Index: 372, Type: UnknownType]
Process: nooxeuq.exe (PID: 872)    Address: 0x84ade020    Size: -

Shadow SSDT
-------------------
#: 317    Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x88042cc0

#: 397    Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x887691f0

#: 428    Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x880a60d8

#: 430    Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x88768130

#: 442    Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x880a74d8

#: 479    Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x88069bf8

#: 497    Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x88069d98

#: 498    Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x88069cc8

#: 573    Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x880a78e0

#: 576    Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x88768c88

==EOF==
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 30 January 2010 at 5:59am
Post your Security setup please.
Back to Top
redhawk View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 14 September 2005
Location: United Kingdom
Status: Offline
Points: 1357
Post Options Post Options   Thanks (0) Thanks(0)   Quote redhawk Quote  Post ReplyReply Direct Link To This Post Posted: 30 January 2010 at 11:23am
Random filename nooxeuq.exe looks rather suspicious so I would recommend you upload this to VirusTotal for analysis.
As for the unknown driver hooks it probably belongs to Avria although I don't recall seeing that many.

Are you running any Anti-Virus or Firewall software??

Also have a look inside c:\windows\system32\drivers do you see any recently created filenames??

Richard S.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down