Here are some of the logs from Trend Micro RootkitBuster:
- - - - - -
+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 3.60.0.1016
| Computer Name: ********************
| User Name: ************************
+----------------------------------------------------
--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.
--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
SubKey : 0Jf40
FullLength: 0x46
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
SubKey : 0Jf41
FullLength: 0x46
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
SubKey : 0Jf42
FullLength: 0x46
3 hidden registry entries found.
--== Dump Hidden Process ==--
No hidden processes found.
--== Dump Hidden Driver ==--
No hidden drivers found.
--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : ZwAddBootEntry
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x80650dff
CurrentHandler : 0xb1445202
ServiceNumber : 0x9
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAllocateVirtualMemory
Image Path : C:\WINDOWS\System32\Drivers\aswSP.SYS
OriginalHandler : 0x80570bc5
CurrentHandler : 0xb14d3cb2
ServiceNumber : 0x11
ModuleName : aswSP.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwClose
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8056f8d7
CurrentHandler : 0xb14696c1
ServiceNumber : 0x19
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateEvent
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x805744f6
CurrentHandler : 0xb144781c
ServiceNumber : 0x23
ModuleName : aswSnx.SYS
SDTType : 0x0
<snip> ------------------------------------------------------------
[HOOKED_SERVICE_API]:
Service API : ZwVdmControl
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x805c28f0
CurrentHandler : 0xb14452b6
ServiceNumber : 0x10c
ModuleName : aswSnx.SYS
SDTType : 0x0
--== Dump Hidden Port ==--
No hidden ports found.
--== Dump Kernel Code Patching ==--
[KERNEL_CODE][PATCHED]:
Service API : ZwCreateProcessEx
Address : 8058B9EC
CurrentCode : E915DFF530
ExpectedCode : 6A0C6818F6
ServiceNumber : 0x30
SDTType : 0x0
1 Kernel code patching found.
--== Dump Hidden Services ==--
No hidden services found.
- - - - -
The Trend Micro RootkitBuster supposedly cleens this away during the boot
but the RootKit puts it back just before XP springs to life.
I can litteraly see the DOS promt on the screen as the RootKit installs
itself again,a second before the XP screen comes on.