ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2011/06/27 00:26 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB7988000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5FA000 Size: 8192 File Visible: No Signed: - Status: - Name: RKREVEAL150.SYS Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS Address: 0xBA642000 Size: 4128 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAD570000 Size: 49152 File Visible: No Signed: - Status: - Name: SNAPSHOD0.sys Image Path: C:\DOCUME~1\DAVID\LOCALS~1\Temp\SNAPSHOD0.sys Address: 0xAD2C5000 Size: 50944 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\DAVID\Desktop\Malware Form SignIn.txt Status: Invisible to the Windows API! Path: C:\Documents and Settings\DAVID\My Documents\Sang Joon.txt Status: Invisible to the Windows API! Path: C:\Documents and Settings\DAVID\My Documents\skype SignIn.txt Status: Invisible to the Windows API! Path: C:\Documents and Settings\All Users\Application Data\IObit\Protected Folder\config.ini Status: Invisible to the Windows API! Path: C:\Documents and Settings\All Users\Application Data\IObit\Protected Folder\drawposs.db Status: Invisible to the Windows API! Path: C:\Documents and Settings\All Users\Application Data\IObit\Protected Folder\fstile.cds Status: Invisible to the Windows API! SSDT ------------------- #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be22f4 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bdc5ca #: 041 Function Name: NtCreateKey Status: Hooked by "" at address 0xba7e9886 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be2a80 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf5e4e #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf623c #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bff6f6 #: 053 Function Name: NtCreateThread Status: Hooked by "" at address 0xba7e987c #: 056 Function Name: NtCreateWaitablePort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be2bb6 #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bdd1e0 #: 063 Function Name: NtDeleteKey Status: Hooked by "" at address 0xba7e988b #: 065 Function Name: NtDeleteValueKey Status: Hooked by "" at address 0xba7e9895 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf4d8a #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bd7e88 #: 098 Function Name: NtLoadKey Status: Hooked by "" at address 0xba7e989a #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bfd99c #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bffa5e #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bdcdf2 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf8160 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf7d8a #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c0c090 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bfe72a #: 193 Function Name: NtReplaceKey Status: Hooked by "" at address 0xba7e98a4 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be1ec4 #: 204 Function Name: NtRestoreKey Status: Hooked by "" at address 0xba7e989f #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be259c #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bdd5a4 #: 227 Function Name: NtSetInformationObject Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7c0bf7c #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bfec6a #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bd7648 #: 247 Function Name: NtSetValueKey Status: Hooked by "" at address 0xba7e9890 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf6ea4 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bf6c20 #: 262 Function Name: NtUnloadDriver Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bd829c Shadow SSDT ------------------- #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be0d66 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be0ea8 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be0fe0 #: 489 Function Name: NtUserRegisterUserApiHook Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bd8c0e #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bde97a #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7be13d4 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bd9246 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb7bd89da ==EOF==