ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/08/03 23:18 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: atapi.sys Image Path: atapi.sys Address: 0xF7859000 Size: 96512 File Visible: - Signed: - Status: Hidden from the Windows API! Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB459C000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79F1000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB0BBC000 Size: 49152 File Visible: No Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF7617000 Size: 52352 File Visible: - Signed: - Status: Hidden from the Windows API! Hidden/Locked Files ------------------- Path: C:\Program Files\RootRepeal.exe Status: Could not get file information (Error 0xc0000008) Path: C:\Program Files\settings.dat Status: Could not get file information (Error 0xc0000008) Path: C:\WINDOWS\system32\drivers\mlnltzg.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\drivers\ndis.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\drivers\nhiwpp.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\dllcache\ndis.sys Status: Locked to the Windows API! Path: c:\documents and settings\polish\application data\skype\etilqs_agxgawz4bmgcdmbhu6gk Status: Allocation size mismatch (API: 8192, Raw: 0) Path: c:\documents and settings\polish\application data\skype\etilqs_sj4hu3p8o15gscp4uuxo Status: Allocation size mismatch (API: 65536, Raw: 0) Path: c:\documents and settings\polish\local settings\temp\fla22.tmp Status: Size mismatch (API: 11078712, Raw: 10947640) Path: c:\documents and settings\polish\local settings\temp\fla23.tmp Status: Size mismatch (API: 11339888, Raw: 11201516) Path: c:\documents and settings\polish\application data\skype\kaosu_no_tenshi\etilqs_mxwzxn94snumsrc2j2th Status: Allocation size mismatch (API: 8192, Raw: 0) Path: c:\documents and settings\polish\application data\skype\kaosu_no_tenshi\etilqs_alp99ty2lugnxl7y9aqs Status: Allocation size mismatch (API: 65536, Raw: 0) Path: c:\documents and settings\polish\application data\skype\kaosu_no_tenshi\etilqs_eo9knlaibncql7lvhhdj Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\documents and settings\polish\application data\skype\kaosu_no_tenshi\etilqs_kz4thghwfxenjy02rgtd Status: Allocation size mismatch (API: 8192, Raw: 0) Path: c:\documents and settings\polish\application data\skype\kaosu_no_tenshi\etilqs_orxkuxggch10usivfstj Status: Allocation size mismatch (API: 32768, Raw: 0) Path: C:\Documents and Settings\Polish\Application Data\Mozilla\Firefox\Profiles\xt4jqget.default\sessionstore.js Status: Could not get file information (Error 0xc0000008) SSDT ------------------- #: 047 Function Name: NtCreateProcess Status: Hooked by "PCTCore.sys" at address 0xf796b282 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "PCTCore.sys" at address 0xf796b474 #: 063 Function Name: NtDeleteKey Status: Hooked by "PCTCore.sys" at address 0xf797cd00 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "PCTCore.sys" at address 0xf797cfb8 #: 119 Function Name: NtOpenKey Status: Hooked by "PCTCore.sys" at address 0xf797b3fa #: 192 Function Name: NtRenameKey Status: Hooked by "PCTCore.sys" at address 0xf797d422 Stealth Objects ------------------- Object: Hidden Module [Name: svchost.exe] Process: svchost.exe (PID: 1592) Address: 0x01000000 Size: 20480 Object: Hidden Module [Name: svchost.exe] Process: svchost.exe (PID: 4088) Address: 0x01000000 Size: 20480 Object: Hidden Module [Name: svchost.exe] Process: svchost.exe (PID: 3380) Address: 0x01000000 Size: 20480 Object: Hidden Module [Name: svchost.exe] Process: svchost.exe (PID: 5408) Address: 0x01000000 Size: 20480 Object: Hidden Module [Name: svchost.exe] Process: svchost.exe (PID: 5416) Address: 0x01000000 Size: 20480 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x89c063a8 Size: 3161 Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x896b4708 Size: 2297 Hidden Services ------------------- Service Name: mlnltzg Image Path: C:\WINDOWS\system32\drivers\mlnltzg.sys Service Name: nhiwpp Image Path: C:\WINDOWS\system32\drivers\nhiwpp.sys ==EOF==