ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/09/25 19:44 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEF1E8000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8B2F000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF8863000 Size: 49152 File Visible: No Signed: - Status: - Name: SYMEFA.SYS Image Path: SYMEFA.SYS Address: 0xF8470000 Size: 323584 File Visible: No Signed: - Status: - SSDT ------------------- #: 012 Function Name: NtAlertResumeThread Status: Hooked by "" at address 0x82d727b0 #: 013 Function Name: NtAlertThread Status: Hooked by "" at address 0x82d8ce10 #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "" at address 0x82aeda78 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "" at address 0x82ae8f30 #: 031 Function Name: NtConnectPort Status: Hooked by "" at address 0x82e2b708 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xef6f3130 #: 043 Function Name: NtCreateMutant Status: Hooked by "" at address 0x82dfaf10 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "" at address 0x82ad4f38 #: 053 Function Name: NtCreateThread Status: Hooked by "" at address 0x82dd00b0 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "" at address 0x82ae8fd0 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xef6f33b0 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xef6f3910 #: 068 Function Name: NtDuplicateObject Status: Hooked by "" at address 0x82aedb50 #: 083 Function Name: NtFreeVirtualMemory Status: Hooked by "" at address 0x82de3c98 #: 089 Function Name: NtImpersonateAnonymousToken Status: Hooked by "" at address 0x82d72670 #: 091 Function Name: NtImpersonateThread Status: Hooked by "" at address 0x82d72710 #: 097 Function Name: NtLoadDriver Status: Hooked by "" at address 0x82d668c0 #: 108 Function Name: NtMapViewOfSection Status: Hooked by "" at address 0x82ec32b0 #: 114 Function Name: NtOpenEvent Status: Hooked by "" at address 0x82dfae70 #: 122 Function Name: NtOpenProcess Status: Hooked by "" at address 0x82d2f748 #: 123 Function Name: NtOpenProcessToken Status: Hooked by "" at address 0x82d96150 #: 125 Function Name: NtOpenSection Status: Hooked by "" at address 0x82b05f88 #: 128 Function Name: NtOpenThread Status: Hooked by "" at address 0x82d2f6b8 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "" at address 0x82ae8e40 #: 206 Function Name: NtResumeThread Status: Hooked by "" at address 0x82b19138 #: 213 Function Name: NtSetContextThread Status: Hooked by "" at address 0x82d8cfd0 #: 228 Function Name: NtSetInformationProcess Status: Hooked by "" at address 0x82de3b78 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "" at address 0x82b05e80 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xef6f3b60 #: 253 Function Name: NtSuspendProcess Status: Hooked by "" at address 0x82dfadd0 #: 254 Function Name: NtSuspendThread Status: Hooked by "" at address 0x82d8ceb0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "" at address 0x82b74058 #: 258 Function Name: NtTerminateThread Status: Hooked by "" at address 0x82d8cf50 #: 267 Function Name: NtUnmapViewOfSection Status: Hooked by "" at address 0x82d44e50 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "" at address 0x82aed9e8 Hidden Services ------------------- Service Name: gasfkyxrxubaxv Image Path: C:\WINDOWS\system32\drivers\gasfkyejbrprqb.sys ==EOF==