ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2011/10/06 19:30 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP2 ================================================== Drivers ------------------- Name: dump_diskdump.sys Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys Address: 0x9206A000 Size: 40960 File Visible: No Signed: - Status: - Name: dump_nvstor32.sys Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys Address: 0x92074000 Size: 155648 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xA29EB000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: Volume C:\ Status: MBR Rootkit Detected! Path: Volume C:\, Sector 10 Status: Sector mismatch Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1332 Status: Locked to the Windows API! SSDT ------------------- #: 012 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d528a #: 021 Function Name: NtAlpcConnectPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef342 #: 022 Function Name: NtAlpcCreatePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef678 #: 038 Function Name: NtAlpcSendWaitReceivePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef9ee #: 048 Function Name: NtClose Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5d04 #: 054 Function Name: NtConnectPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef02a #: 058 Function Name: NtCreateEvent Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6276 #: 067 Function Name: NtCreateMutant Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6164 #: 071 Function Name: NtCreatePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef4e8 #: 075 Function Name: NtCreateSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5046 #: 076 Function Name: NtCreateSemaphore Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d638e #: 078 Function Name: NtCreateThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d58ba #: 115 Function Name: NtCreateWaitablePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef5b0 #: 116 Function Name: NtDebugActiveProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d674e #: 127 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5d46 #: 129 Function Name: NtDuplicateObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d7750 #: 165 Function Name: NtLoadDriver Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6840 #: 177 Function Name: NtMapViewOfSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6dac #: 181 Function Name: NtNotifyChangeKey Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ed840 #: 184 Function Name: NtOpenEvent Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6308 #: 191 Function Name: NtOpenMutant Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d61f0 #: 194 Function Name: NtOpenProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d54c4 #: 197 Function Name: NtOpenSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6b90 #: 198 Function Name: NtOpenSemaphore Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6420 #: 201 Function Name: NtOpenThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d53b8 #: 219 Function Name: NtQueryDirectoryObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d655c #: 237 Function Name: NtQueryObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918eda38 #: 242 Function Name: NtQuerySection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d70d2 #: 255 Function Name: NtQueueApcThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d69e0 #: 270 Function Name: NtReplyPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef7dc #: 271 Function Name: NtReplyWaitReceivePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef72a #: 276 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef848 #: 282 Function Name: NtResumeThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d75f2 #: 286 Function Name: NtSecureConnectPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918ef1b2 #: 289 Function Name: NtSetContextThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5ba4 #: 307 Function Name: NtSetInformationToken Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d65fa #: 317 Function Name: NtSetSystemInformation Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d7222 #: 330 Function Name: NtSuspendProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d7316 #: 331 Function Name: NtSuspendThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d7450 #: 332 Function Name: NtSystemDebugControl Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6670 #: 334 Function Name: NtTerminateProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5664 #: 335 Function Name: NtTerminateThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d55ba #: 348 Function Name: NtUnmapViewOfSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d6f8a #: 358 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5750 #: 382 Function Name: NtCreateThreadEx Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d5a2a #: 383 Function Name: NtCreateUserProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918d64a6 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e100a #: 235 Function Name: NtGdiMaskBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e10e0 #: 245 Function Name: NtGdiPlgBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e1150 #: 301 Function Name: NtGdiStretchBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e1074 #: 317 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e16d8 #: 322 Function Name: NtUserBuildHwndList Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e11b8 #: 332 Function Name: NtUserCallNoParam Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0fa8 #: 391 Function Name: NtUserFindWindowEx Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0dca #: 397 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0bd8 #: 428 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0ed8 #: 430 Function Name: NtUserGetKeyState Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0c24 #: 479 Function Name: NtUserMessageCall Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0d1c #: 497 Function Name: NtUserPostMessage Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0c70 #: 498 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0cc4 #: 512 Function Name: NtUserRegisterHotKey Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e1792 #: 513 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0e60 #: 525 Function Name: NtUserSendInput Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0d7c #: 550 Function Name: NtUserSetParent Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e158a #: 573 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0b28 #: 576 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e0b80 #: 600 Function Name: NtUserUnregisterHotKey Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x918e18b2 ==EOF==