Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SSDT hooks, stealth obj. and drives - RootRepeal Log


  • Please log in to reply
No replies to this topic

#1 petey15102

petey15102

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 06 August 2009 - 05:50 PM

This is a log after a fresh OS install using the original Dell MS XP Pro install cd. I also ran KillDisk (Zero-Fill) prior to installation. RootRepeal was not ran in Safemode and it was the only scan I ran that detected issues. I did not run GMER because i'm not fimilar with how to read its log. Any help will be greatly appreciated.




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 14:31
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEEBB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B21000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEBDB000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85cd2630

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85cd1a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85cd1e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85cd2460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85cd2280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85cd1c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85cd20b0

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x85d677a0]
Process: System Address: 0x85cd0790 Size: 1000

==EOF==

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users