ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/08/09 15:27 Program Version: Version 1.3.3.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_iaStor.sys Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys Address: 0x8FCF0000 Size: 851968 File Visible: No Signed: - Status: - Name: inyafakj.sys Image Path: C:\Users\chris\AppData\Local\Temp\inyafakj.sys Address: 0xAF9B3000 Size: 83584 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xAD1D4000 Size: 49152 File Visible: No Signed: - Status: - Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1196 Status: Locked to the Windows API! SSDT ------------------- #: 013 Function Name: NtAlertResumeThread Status: Hooked by "" at address 0x86e5f870 #: 014 Function Name: NtAlertThread Status: Hooked by "" at address 0x86e5f950 #: 018 Function Name: NtAllocateVirtualMemory Status: Hooked by "" at address 0x86f408f0 #: 021 Function Name: NtAlpcConnectPort Status: Hooked by "" at address 0x86da06f0 #: 042 Function Name: NtAssignProcessToJobObject Status: Hooked by "" at address 0x8760b8a8 #: 067 Function Name: NtCreateMutant Status: Hooked by "" at address 0x86e5f5c0 #: 077 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "" at address 0x8760b5c8 #: 078 Function Name: NtCreateThread Status: Hooked by "" at address 0x86e6fa20 #: 116 Function Name: NtDebugActiveProcess Status: Hooked by "" at address 0x8760b988 #: 129 Function Name: NtDuplicateObject Status: Hooked by "" at address 0x86d89378 #: 147 Function Name: NtFreeVirtualMemory Status: Hooked by "" at address 0x86f40710 #: 156 Function Name: NtImpersonateAnonymousToken Status: Hooked by "" at address 0x86e5f6b0 #: 158 Function Name: NtImpersonateThread Status: Hooked by "" at address 0x86e5f790 #: 165 Function Name: NtLoadDriver Status: Hooked by "" at address 0x86d923c8 #: 177 Function Name: NtMapViewOfSection Status: Hooked by "" at address 0x86f40610 #: 184 Function Name: NtOpenEvent Status: Hooked by "" at address 0x86e5f4e0 #: 194 Function Name: NtOpenProcess Status: Hooked by "" at address 0x86d89518 #: 195 Function Name: NtOpenProcessToken Status: Hooked by "" at address 0x86f409e0 #: 197 Function Name: NtOpenSection Status: Hooked by "" at address 0x8760bbb0 #: 201 Function Name: NtOpenThread Status: Hooked by "" at address 0x86d89448 #: 210 Function Name: NtProtectVirtualMemory Status: Hooked by "" at address 0x8760b7b8 #: 282 Function Name: NtResumeThread Status: Hooked by "" at address 0x86d34790 #: 289 Function Name: NtSetContextThread Status: Hooked by "" at address 0x86e5fbf0 #: 305 Function Name: NtSetInformationProcess Status: Hooked by "" at address 0x86e5fcf0 #: 317 Function Name: NtSetSystemInformation Status: Hooked by "" at address 0x8760ba68 #: 330 Function Name: NtSuspendProcess Status: Hooked by "" at address 0x8760bc90 #: 331 Function Name: NtSuspendThread Status: Hooked by "" at address 0x86e5fa30 #: 334 Function Name: NtTerminateProcess Status: Hooked by "" at address 0x86d89630 #: 335 Function Name: NtTerminateThread Status: Hooked by "" at address 0x86e5fb10 #: 348 Function Name: NtUnmapViewOfSection Status: Hooked by "" at address 0x86e5fdc0 #: 358 Function Name: NtWriteVirtualMemory Status: Hooked by "" at address 0x86f40800 #: 382 Function Name: NtCreateThreadEx Status: Hooked by "" at address 0x8760b6b8 Shadow SSDT ------------------- #: 317 Function Name: NtUserAttachThreadInput Status: Hooked by "" at address 0x9272a008 #: 397 Function Name: NtUserGetAsyncKeyState Status: Hooked by "" at address 0x9272a060 #: 428 Function Name: NtUserGetKeyboardState Status: Hooked by "" at address 0x926faad8 #: 430 Function Name: NtUserGetKeyState Status: Hooked by "" at address 0x9272a120 #: 442 Function Name: NtUserGetRawInputData Status: Hooked by "" at address 0x9272a1e0 #: 479 Function Name: NtUserMessageCall Status: Hooked by "" at address 0x926fa868 #: 497 Function Name: NtUserPostMessage Status: Hooked by "" at address 0x926faa08 #: 498 Function Name: NtUserPostThreadMessage Status: Hooked by "" at address 0x926fa938 #: 573 Function Name: NtUserSetWindowsHookEx Status: Hooked by "" at address 0x926f1bd0 #: 576 Function Name: NtUserSetWinEventHook Status: Hooked by "" at address 0x926f1ca0 ==EOF==