ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2011/10/10 12:44 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB73F9000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7A6D000 Size: 8192 File Visible: No Signed: - Status: - Name: PCI_PNP3654 Image Path: \Driver\PCI_PNP3654 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB6987000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: c:\combofix\errtrap1 Status: Allocation size mismatch (API: 352, Raw: 0) Path: c:\combofix\cregc.dat Status: Allocation size mismatch (API: 36864, Raw: 32768) Path: c:\combofix\netsvc.bad.dat Status: Allocation size mismatch (API: 40960, Raw: 65536) SSDT ------------------- #: 009 Function Name: NtAddBootEntry Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca374 #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee1312b8 #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ee829 #: 035 Function Name: NtCreateEvent Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc996 #: 036 Function Name: NtCreateEventPair Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc9ee #: 038 Function Name: NtCreateIoCompletion Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccb04 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ee1dd #: 043 Function Name: NtCreateMutant Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc8ec #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cca3e #: 051 Function Name: NtCreateSemaphore Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc940 #: 054 Function Name: NtCreateTimer Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccab2 #: 061 Function Name: NtDeleteBootEntry Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca398 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0eeeef #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ef1a5 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccd88 #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0eed5a #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0eebc5 #: 083 Function Name: NtFreeVirtualMemory Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee131368 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca162 #: 109 Function Name: NtModifyBootEntry Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca3bc #: 111 Function Name: NtNotifyChangeKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccefc #: 112 Function Name: NtNotifyChangeMultipleKeys Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cae54 #: 114 Function Name: NtOpenEvent Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc9c6 #: 115 Function Name: NtOpenEventPair Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cca16 #: 117 Function Name: NtOpenIoCompletion Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccb2e #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ee539 #: 120 Function Name: NtOpenMutant Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc918 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccbc0 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cca7e #: 126 Function Name: NtOpenSemaphore Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cc96e #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccca4 #: 131 Function Name: NtOpenTimer Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ccadc #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee131400 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0eea40 #: 163 Function Name: NtQueryObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0cad1a #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ee892 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee1396e2 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ed850 #: 211 Function Name: NtSetBootEntryOrder Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca3e0 #: 212 Function Name: NtSetBootOptions Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca404 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca1bc #: 241 Function Name: NtSetSystemPowerState Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca2f8 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0eeff6 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca2d4 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca31c #: 268 Function Name: NtVdmControl Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xee0ca428 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x86fa01f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x86ded430 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x86bf31f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x868821f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x868821f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x868821f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x868821f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x868821f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x868821f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x86bdc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x868721f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_CREATE] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_CLOSE] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_READ] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_SET_INFORMATION] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_SHUTDOWN] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_CLEANUP] Process: System Address: 0x86d361f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఇ浍浓떨蛩Ā, IRP_MJ_PNP] Process: System Address: 0x86d361f8 Size: 121 ==EOF==