Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser Search HiJack

Started by suntzu83 , Jul 24 2009 10:46 AM

  • Please log in to reply

#1
suntzu83
Posted 24 July 2009 - 10:46 AM

suntzu83

    New Member

  • Member
  • Pip
  • 2 posts
A few days ago, I contracted some sort of virus, that whenever i tried to search in a browser, it sent me to overclick.cn. Anyway, due to advice from a friend I used combofix, and got rid of the virus.

I stumbled across this site after. I thought I would run root repeal and see if there were any remnant infections or malware on my system. Here is the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/24 09:37
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Jerry\LOCALS~1\Temp\catchme.sys
Address: 0xBA350000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xBA128000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_CLASSPNP.SYS
Address: 0xB893B000 Size: 53248 File Visible: No Signed: -
Status: -

Name: dump_nvraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvraid.sys
Address: 0xB2026000 Size: 77824 File Visible: No Signed: -
Status: -

Name: PCI_PNP0720
Image Path: \Driver\PCI_PNP0720
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBA66A000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1578000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkh.sys
Image Path: spkh.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7f4fc6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7f4fbc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7f4fcb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7f4fd5

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkh.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkh.sys" at address 0xb9ec7030

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7f4fda

#: 119 Function Name: NtOpenKey
Status: Hooked by "spkh.sys" at address 0xb9ea80c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba7f4fa8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7f4fad

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkh.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkh.sys" at address 0xb9ec6f88

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7f4fe4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7f4fdf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7f4fd0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba7f4fb7

==EOF==

Thanks.
  • 0

Advertisements

#2
suntzu83
Posted 24 July 2009 - 11:19 AM

suntzu83

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Oh, i think i got rid of catchme: here's my new log, please see if there is any malware:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/24 10:10
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_CLASSPNP.SYS
Address: 0xB840C000 Size: 53248 File Visible: No Signed: -
Status: -

Name: dump_nvraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvraid.sys
Address: 0xAC2C5000 Size: 77824 File Visible: No Signed: -
Status: -

Name: PCI_PNP5056
Image Path: \Driver\PCI_PNP5056
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB841C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spiz.sys
Image Path: spiz.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba6c6e6e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba6c6e64

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba6c6e73

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba6c6e7d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spiz.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spiz.sys" at address 0xb9ec7030

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba6c6e82

#: 119 Function Name: NtOpenKey
Status: Hooked by "spiz.sys" at address 0xb9ea80c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba6c6e50

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba6c6e55

#: 160 Function Name: NtQueryKey
Status: Hooked by "spiz.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spiz.sys" at address 0xb9ec6f88

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba6c6e8c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba6c6e87

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba6c6e78

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba6c6e5f

==EOF==
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP