ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/12/14 08:51 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF5D70000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8D5A000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal2.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys Address: 0xF1841000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbca60 #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d906b8 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbe920 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6b9df60 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d90574 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb52b0 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb5bb0 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6b9cd10 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6ba8e40 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb3d70 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bc1f30 #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6ba7b20 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6baa900 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d90a52 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d9014c #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb2bb0 #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6ba86b0 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6ba0c10 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d9064e #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d9008c #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6b9d580 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d900f0 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbdda0 #: 145 Function Name: NtQueryDirectoryFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6ba28a0 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bac750 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d9076e #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbbed0 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb0590 #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bae500 #: 199 Function Name: NtRequestPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bc0a50 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bc0d70 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d9072e #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6baec80 #: 208 Function Name: NtSaveKeyEx Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6baf4d0 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbf480 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbb440 #: 223 Function Name: NtSetInformationDebugObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bc2520 #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6ba3bf0 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb21c0 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d908ae #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bba190 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbaac0 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bc1770 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb8790 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb9620 #: 262 Function Name: NtUnloadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bb3530 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf6bbd2b0 ==EOF==