ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2011/08/15 15:38 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: atapi.sys Image Path: atapi.sys Address: 0xF7479000 Size: 96512 File Visible: - Signed: - Status: Hidden from the Windows API! Name: dump_atapi.sys Image Path: D:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xACA5B000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: D:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79F7000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAA2D3000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: d:\documents and settings\oem\ustawienia lokalne\temp\{330f6081-99f2-4d6f-a1ee-9bfa17b29fe7}-chrome_installer.exe Status: Allocation size mismatch (API: 1966080, Raw: 1703936) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df11e.tmp Status: Allocation size mismatch (API: 262144, Raw: 16384) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df252d.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df2551.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df3024.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df3d32.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df433e.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df4ff6.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~df9750.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfaf23.tmp Status: Allocation size mismatch (API: 262144, Raw: 16384) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfb19d.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfb68e.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfc1d3.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfd66e.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfe0e3.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfe9c8.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: d:\documents and settings\oem\ustawienia lokalne\temp\~dfeb89.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: D:\Documents and Settings\oem\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Q03IQ082\6-diagnostyka-malware-centrum-bezpieczenstwa[1].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\oem\Ustawienia lokalne\Apps\2.0\VDZHMJHM.DJZ\RH6749M4.PEG\manifests\clickonce_bootstrap.exe.cdf-ms Status: Locked to the Windows API! Path: D:\Documents and Settings\oem\Ustawienia lokalne\Apps\2.0\VDZHMJHM.DJZ\RH6749M4.PEG\manifests\clickonce_bootstrap.exe.manifest Status: Locked to the Windows API! SSDT ------------------- #: 009 Function Name: NtAddBootEntry Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51202 #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacbdfcb2 #: 025 Function Name: NtClose Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb756c1 #: 035 Function Name: NtCreateEvent Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5381c #: 036 Function Name: NtCreateEventPair Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53874 #: 038 Function Name: NtCreateIoCompletion Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5398a #: 041 Function Name: NtCreateKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb75075 #: 043 Function Name: NtCreateMutant Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53772 #: 050 Function Name: NtCreateSection Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb538c4 #: 051 Function Name: NtCreateSemaphore Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb537c6 #: 054 Function Name: NtCreateTimer Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53938 #: 061 Function Name: NtDeleteBootEntry Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51226 #: 063 Function Name: NtDeleteKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb75d87 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb7603d #: 068 Function Name: NtDuplicateObject Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53c0e #: 071 Function Name: NtEnumerateKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb75bf2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb75a5d #: 083 Function Name: NtFreeVirtualMemory Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacbdfd62 #: 097 Function Name: NtLoadDriver Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb50ff0 #: 109 Function Name: NtModifyBootEntry Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5124a #: 111 Function Name: NtNotifyChangeKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53d82 #: 112 Function Name: NtNotifyChangeMultipleKeys Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51cda #: 114 Function Name: NtOpenEvent Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5384c #: 115 Function Name: NtOpenEventPair Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5389c #: 117 Function Name: NtOpenIoCompletion Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb539b4 #: 119 Function Name: NtOpenKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb753d1 #: 120 Function Name: NtOpenMutant Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5379e #: 122 Function Name: NtOpenProcess Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53a46 #: 125 Function Name: NtOpenSection Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53904 #: 126 Function Name: NtOpenSemaphore Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb537f4 #: 128 Function Name: NtOpenThread Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53b2a #: 131 Function Name: NtOpenTimer Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb53962 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacbdfdfa #: 160 Function Name: NtQueryKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb758d8 #: 163 Function Name: NtQueryObject Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51ba0 #: 177 Function Name: NtQueryValueKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb7572a #: 192 Function Name: NtRenameKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacbe8e48 #: 204 Function Name: NtRestoreKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb746e8 #: 211 Function Name: NtSetBootEntryOrder Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5126e #: 212 Function Name: NtSetBootOptions Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51292 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb5104a #: 241 Function Name: NtSetSystemPowerState Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51186 #: 247 Function Name: NtSetValueKey Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb75e8e #: 249 Function Name: NtShutdownSystem Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb51162 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb511aa #: 268 Function Name: NtVdmControl Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xacb512b6 ==EOF==