ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/10/14 16:17 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB747C000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_lx25dztt1t58tn46tzut Status: Allocation size mismatch (API: 32768, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_5ewc6845iisldbmi1ynh Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_cvutscvzx6ew4aeboxdf Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_jkohfefhjbva7hzc7i3k Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_l6pgqkaatfusisumi5bv Status: Allocation size mismatch (API: 16384, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_oabvapqieaprf8akm2eg Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_sflsrkdmcyczkc3ppajw Status: Allocation size mismatch (API: 16384, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_tz6kwnnq2rvqpknacpjl Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_wokjndcsollbohzyenpv Status: Allocation size mismatch (API: 16384, Raw: 0) Path: c:\documents and settings\anetka\dane aplikacji\skype\juh2012\etilqs_zo1jhbgtfjlshoopqymv Status: Allocation size mismatch (API: 16384, Raw: 0) Path: C:\Documents and Settings\Anetka\Ustawienia lokalne\Dane aplikacji\Opera\Opera\cache\activity.opr Status: Invisible to the Windows API! SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5d7b6 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5cd66 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5d41c #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5e02a #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5cc42 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb600e8 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb6046e #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5c62e #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5d9a2 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5dba2 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5c434 #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5e768 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5e9be #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5faf8 #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5cffe #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5d5f8 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5e01a #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5c062 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5d2a2 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5c266 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5ebcc #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5f020 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5edde #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5e580 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5f590 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5f844 #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5ddf2 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5fdf0 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5e2f8 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5cf98 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5d18e #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5ca44 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb5c832 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62690 #: 122 Function Name: NtGdiDeleteObjectApp Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62f3c #: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb627d0 #: 233 Function Name: NtGdiOpenDCW Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62df6 #: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb6291c #: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62a5c #: 310 Function Name: NtUserBlockInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62508 #: 319 Function Name: NtUserCallHwndParamLock Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb61550 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb621ae #: 389 Function Name: NtUserGetClipboardData Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62ba2 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb61ef6 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb6204a #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb61b80 #: 465 Function Name: NtUserMoveWindow Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb6124c #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb6180a #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb619c4 #: 490 Function Name: NtUserRegisterHotKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62cc6 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62312 #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb61d88 #: 509 Function Name: NtUserSetClipboardViewer Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62410 #: 529 Function Name: NtUserSetParent Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb613dc #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb62f7a #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb63210 #: 559 Function Name: NtUserSystemParametersInfo Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xebb616ee ==EOF==