ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/09/26 19:00 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: Aavmker4.SYS Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS Address: 0xB83A8000 Size: 22144 File Visible: No Signed: - Status: - Name: aswFsBlk.SYS Image Path: C:\WINDOWS\System32\Drivers\aswFsBlk.SYS Address: 0xB43BA000 Size: 11008 File Visible: No Signed: - Status: - Name: aswMon2.SYS Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS Address: 0xB4103000 Size: 93440 File Visible: No Signed: - Status: - Name: aswSP.SYS Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS Address: 0xB488A000 Size: 158848 File Visible: No Signed: - Status: - Name: aswTdi.SYS Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS Address: 0xB8278000 Size: 39936 File Visible: No Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xB7F0A000 Size: 96512 File Visible: - Signed: - Status: Hidden from the Windows API! Name: dwprot.sys Image Path: dwprot.sys Address: 0xB7E90000 Size: 118656 File Visible: No Signed: - Status: - Name: hl4p23eo.sys Image Path: C:\DOCUME~1\SysOp\USTAWI~1\Temp\hl4p23eo.sys Address: 0xB265C000 Size: 203904 File Visible: No Signed: - Status: - Name: InCDFs.sys Image Path: C:\WINDOWS\system32\drivers\InCDFs.sys Address: 0xB4AF0000 Size: 102912 File Visible: No Signed: - Status: - Name: InCDPass.sys Image Path: C:\WINDOWS\system32\drivers\InCDPass.sys Address: 0xB83E0000 Size: 31360 File Visible: No Signed: - Status: - Name: InCDrec.SYS Image Path: C:\WINDOWS\System32\Drivers\InCDrec.SYS Address: 0xB8578000 Size: 10624 File Visible: No Signed: - Status: - Name: InCDRm.sys Image Path: C:\WINDOWS\system32\drivers\InCDRm.sys Address: 0xB81D8000 Size: 33792 File Visible: No Signed: - Status: - Name: Lbd.sys Image Path: Lbd.sys Address: 0xB8128000 Size: 57600 File Visible: No Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xB7DBF000 Size: 574976 File Visible: - Signed: - Status: Hidden from the Windows API! Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB3B35000 Size: 49152 File Visible: No Signed: - Status: - Name: spiderg3.sys Image Path: spiderg3.sys Address: 0xB7EAD000 Size: 74752 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: c:\documents and settings\sysop\ustawienia lokalne\temp\~df65d4.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: c:\documents and settings\sysop\ustawienia lokalne\temp\~df7b38.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892cf0 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892bac #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4893160 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb489308a #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892782 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892c86 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb48926c2 #: 125 Function Name: NtOpenSection Status: Hooked by "dwprot.sys" at address 0xb7ea27e0 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892726 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892da6 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb489322e #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892d66 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4892ee6 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "dwprot.sys" at address 0xb7ea270e Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x898dca38 Size: 238 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x899751d8 Size: 1651 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x8a580cc8 Size: 574 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x8963bba0 Size: 174 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8989abd8 Size: 1064 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89754130 Size: 351 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89a3cad0 Size: 98 Shadow SSDT ------------------- #: 460 Function Name: NtUserMessageCall Status: Hooked by "dwprot.sys" at address 0xb7ea340e #: 475 Function Name: NtUserPostMessage Status: Hooked by "dwprot.sys" at address 0xb7ea3382 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "dwprot.sys" at address 0xb7ea2218 #: 483 Function Name: NtUserQueryWindow Status: Hooked by "dwprot.sys" at address 0xb7ea2140 #: 558 Function Name: NtUserSwitchDesktop Status: Hooked by "dwprot.sys" at address 0xb7ea20dc ==EOF==