ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2011/09/11 22:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xAC317000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA646000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA8AE2000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine Status: Locked to the Windows API! Path: \\?\C:\Program Files\Comodo\COMODO Internet Security\Quarantine\* Status: Could not enumerate files with the Windows API (0x00000005)! Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\JkDefragGUI.exe Status: Invisible to the Windows API! Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\JkDefragGUI.exe.info Status: Invisible to the Windows API! Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\Temp Status: Invisible to the Windows API! Path: \\?\C:\Program Files\Comodo\COMODO Internet Security\Quarantine\Temp\* Status: Could not enumerate files with the Windows API (0x00000005)! Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\Temp\baseupd Status: Invisible to the Windows API! Path: \\?\C:\Program Files\Comodo\COMODO Internet Security\Quarantine\Temp\baseupd\* Status: Could not enumerate files with the Windows API (0x00000005)! SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6018b2 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac600e48 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac601518 #: 041 Function Name: NtCreateKey Status: Hooked by "" at address 0xba7282a6 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac600d28 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6041e0 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac604568 #: 053 Function Name: NtCreateThread Status: Hooked by "" at address 0xba72829c #: 063 Function Name: NtDeleteKey Status: Hooked by "" at address 0xba7282ab #: 065 Function Name: NtDeleteValueKey Status: Hooked by "" at address 0xba7282b5 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60051a #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602864 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602aba #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603bf0 #: 098 Function Name: NtLoadKey Status: Hooked by "" at address 0xba7282ba #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac601110 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6016f4 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602116 #: 122 Function Name: NtOpenProcess Status: Hooked by "" at address 0xba728288 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6013b4 #: 128 Function Name: NtOpenThread Status: Hooked by "" at address 0xba72828d #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602cc8 #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60311c #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac602eda #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60267c #: 193 Function Name: NtReplaceKey Status: Hooked by "" at address 0xba7282c4 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60368c #: 204 Function Name: NtRestoreKey Status: Hooked by "" at address 0xba7282bf #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603940 #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac601eee #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac603ee8 #: 247 Function Name: NtSetValueKey Status: Hooked by "" at address 0xba7282b0 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60107a #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6012a0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac600b2a #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac600918 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606788 #: 122 Function Name: NtGdiDeleteObjectApp Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607034 #: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6068c8 #: 233 Function Name: NtGdiOpenDCW Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606eee #: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606a14 #: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606b54 #: 310 Function Name: NtUserBlockInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606600 #: 319 Function Name: NtUserCallHwndParamLock Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605648 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6062a6 #: 389 Function Name: NtUserGetClipboardData Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606c9a #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605fee #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606142 #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605c78 #: 465 Function Name: NtUserMoveWindow Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605344 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605902 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605abc #: 490 Function Name: NtUserRegisterHotKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606dbe #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac60640a #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac605e80 #: 509 Function Name: NtUserSetClipboardViewer Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac606508 #: 529 Function Name: NtUserSetParent Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6054d4 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607072 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac607308 #: 559 Function Name: NtUserSystemParametersInfo Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6057e6 ==EOF==