ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2012/03/29 00:15 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA5A21000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xA63CC000 Size: 8192 File Visible: No Signed: - Status: - Name: pxdyapoc.sys Image Path: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxdyapoc.sys Address: 0xA2729000 Size: 100864 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA2BBB000 Size: 49152 File Visible: No Signed: - Status: - Name: xpacket.sys Image Path: xpacket.sys Address: 0xB9DE8000 Size: 124480 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! SSDT ------------------- #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff54b0 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff57f0 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5ab0 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff55d0 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff58b0 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5350 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5410 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5570 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5630 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5530 #: 229 Function Name: NtSetInformationThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff54f0 #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5670 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5870 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff53b0 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5430 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5830 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5370 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5470 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff55f0 Stealth Objects ------------------- Object: Hidden Code [Driver: ehdrv, IRP_MJ_CREATE] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_CLOSE] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_READ] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_WRITE] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SET_INFORMATION] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_QUERY_EA] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SET_EA] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x88d36e60 Size: 262 Object: Hidden Code [Driver: ehdrv, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SHUTDOWN] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_CLEANUP] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SET_SECURITY] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_POWER] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x88d36e40 Size: 294 Object: Hidden Code [Driver: ehdrv, IRP_MJ_SET_QUOTA] Process: System Address: 0x88d36e40 Size: 294 Shadow SSDT ------------------- #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5a10 #: 431 Function Name: NtUserGetRegisteredRawInputDevices Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5a50 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff5990 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xa5ff59d0 ==EOF==