ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/06/23 18:06 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA9D22000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8AC6000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA8A33000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Program Files\Tall Emu\Online Armor\UNINS000.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\UNINS000.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OASRV.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OACAT.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAHLP.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAUI.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAVIEW.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\SITES.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\SIGNS.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\reference.dat Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\ANTISPAM.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\FIREWALL.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAWATCH.DLL Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAEVENT.DLL Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OADUMP.EXE Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\MacCodes.dat Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAReg.exe Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\IPRanges.dat Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Vista Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAnet.inf Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAnet_m.inf Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OASRV.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAUI.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OACAT.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAHLP.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAMINE.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OAVIEW.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OASCAN.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OARAU.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\PROCESS.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\SOCKETS.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\AVGATE.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OADUMP.DBG Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OADriver.dat Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\server.dat.bak Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\SERVER.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\fwdata.dat.bak Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\FWDATA.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\HISTORY.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\oacached.dat.bak Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OACACHED.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\SentList.dat Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\taskman.dat.bak Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\TASKMAN.DAT Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Logs Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\OADriver.bak Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\NoteBook.sig Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\DNSTask.dat Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Logs\FW1006222017.log Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Logs\FW1006230000.log Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Logs\FW1006230024.log Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Logs\FW1006230640.log Status: Invisible to the Windows API! Path: C:\Program Files\Tall Emu\Online Armor\Logs\FW1006231711.log Status: Invisible to the Windows API! SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f973e0 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f97c10 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f95300 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9fa4dd0 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f94e40 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f91b80 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f91f90 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f91440 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f93480 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f940f0 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f94c50 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f96a00 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9fa5450 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f92f80 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f91860 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f93980 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f97860 #: 145 Function Name: NtQueryDirectoryFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f96f80 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f97db0 #: 199 Function Name: NtRequestPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f95f00 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f96500 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9fa4960 #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f948a0 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f956f0 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f93ed0 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f94290 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f968e0 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f94a80 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f94690 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f944a0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\PSINProc.sys" at address 0xa9ba4416 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f93cc0 #: 262 Function Name: NtUnloadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f96d10 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f97a30 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8fbd0 #: 233 Function Name: NtGdiOpenDCW Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8ff20 #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8c990 #: 310 Function Name: NtUserBlockInput Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8e790 #: 319 Function Name: NtUserCallHwndParamLock Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8e2c0 #: 324 Function Name: NtUserCallTwoParam Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8f400 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8d440 #: 389 Function Name: NtUserGetClipboardData Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8eb40 #: 401 Function Name: NtUserGetDC Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8f7f0 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8d310 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8d1e0 #: 439 Function Name: NtUserGetWindowDC Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8fa20 #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8d570 #: 465 Function Name: NtUserMoveWindow Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8ef20 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8da50 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8df00 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8c7a0 #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8e540 #: 509 Function Name: NtUserSetClipboardViewer Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8e930 #: 529 Function Name: NtUserSetParent Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8ece0 #: 546 Function Name: NtUserSetWindowPos Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8f2b0 #: 548 Function Name: NtUserSetWindowsHookAW Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8c250 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8bdf0 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8c4f0 #: 555 Function Name: NtUserShowWindow Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9f8f1c0 ==EOF==