ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/11/16 06:36 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: Image Path: Address: 0xB9F0A000 Size: 98304 File Visible: No Signed: - Status: - Name: Image Path: Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: E:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB1078000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA61A000 Size: 8192 File Visible: No Signed: - Status: - Name: giveio.sys Image Path: giveio.sys Address: 0xBA671000 Size: 1664 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: E:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAE2C4000 Size: 49152 File Visible: No Signed: - Status: - Name: speedfan.sys Image Path: speedfan.sys Address: 0xBA5B0000 Size: 5248 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: E:\hiberfil.sys Status: Locked to the Windows API! Path: E:\Documents and Settings\John Wayne\Dane aplikacji\Mozilla\Firefox\Profiles\8ztooq07.default\sessionstore.js Status: Could not get file information (Error 0xc0000008) SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "d347bus.sys" at address 0xb9f8e818 #: 041 Function Name: NtCreateKey Status: Hooked by "d347bus.sys" at address 0xb9f8e7d0 #: 045 Function Name: NtCreatePagingFile Status: Hooked by "d347bus.sys" at address 0xb9f82a20 #: 071 Function Name: NtEnumerateKey Status: Hooked by "d347bus.sys" at address 0xb9f832a8 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "d347bus.sys" at address 0xb9f8e910 #: 119 Function Name: NtOpenKey Status: Hooked by "d347bus.sys" at address 0xb9f8e794 #: 160 Function Name: NtQueryKey Status: Hooked by "d347bus.sys" at address 0xb9f832c8 #: 177 Function Name: NtQueryValueKey Status: Hooked by "d347bus.sys" at address 0xb9f8e866 #: 241 Function Name: NtSetSystemPowerState Status: Hooked by "d347bus.sys" at address 0xb9f8e0b0 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x8a2f08d0 Size: 11 Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ] Process: System Address: 0x8a304f38 Size: 11 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_READ] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_POWER] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_PNP] Process: System Address: 0x8a165770 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x89f8e008 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_READ] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP] Process: System Address: 0x8a15c828 Size: 99 Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ] Process: System Address: 0x8a0210c0 Size: 11 Object: Hidden Code [Driver: Srv, IRP_MJ_READ] Process: System Address: 0x89e7e198 Size: 11 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x8a0c43b0 Size: 11 Object: Hidden Code [Driver: NpfsЅ఍浍瑓ന, IRP_MJ_READ] Process: System Address: 0x8a1abfb0 Size: 11 Object: Hidden Code [Driver: MsfsЅ఍敓È, IRP_MJ_READ] Process: System Address: 0x8a13a778 Size: 11 Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ] Process: System Address: 0x89faf4c8 Size: 11 Object: Hidden Code [Driver: CdfsЅ灐畳륈릘Ђఄ灐畳瑰槀, IRP_MJ_READ] Process: System Address: 0x89dfe0c8 Size: 11 ==EOF==