Suggest A Fix PC Support Forums > Questions Regarding Hooked Service Api

Full Version: Questions Regarding Hooked Service Api

Suggest A Fix PC Support Forums > Security > Security

john2005

Feb 5 2007, 07:09 PM

Hi everyone,

I have listed a report below that was generated after a scan with Trend Micro's free Root-Kit buster software. I used to have Sandboxie www.sandboxie.com installed on my computer and it showed up under the hooked service API list. However, even after un-installing sandboxie, root-kit buster still gave the hook list given below. Is this anything to worry about or are these normal OS system hooks ?

The main reason I uninstalled sandboxie is because my computer had shut down and restarted for no apparent reason on two separate occasions and upon restarting it said that windows had recovered from a serious error. I wanted to uninstall sandboxie to see if it would help. Other than sandboxie, the only other programs that I have that might use hooks would be Microsoft virtual PC 2004 and virtual box www.virtualbox.org.

Thanks for your help.
John

----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1049
+----------------------------------------------------

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : ZwConnectPort
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a2fec
CurrentHandler : 0xf39fce50
ServiceNumber : 0x1f
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateFile
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80577e48
CurrentHandler : 0xf39f9810
ServiceNumber : 0x25
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8062204e
CurrentHandler : 0xf3a04670
ServiceNumber : 0x29
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreatePort
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a3b08
CurrentHandler : 0xf39fd1e0
ServiceNumber : 0x2e
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateProcess
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805cfa1c
CurrentHandler : 0xf3a03470
ServiceNumber : 0x2f
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateProcessEx
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805cf966
CurrentHandler : 0xf3a036a0
ServiceNumber : 0x30
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSection
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a9de6
CurrentHandler : 0xf3a06cc0
ServiceNumber : 0x32
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateWaitablePort
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a3b2c
CurrentHandler : 0xf39fd2c0
ServiceNumber : 0x38
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteFile
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80575a30
CurrentHandler : 0xf39f9e90
ServiceNumber : 0x3e
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x806224de
CurrentHandler : 0xf3a05680
ServiceNumber : 0x3f
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteValueKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x806226ae
CurrentHandler : 0xf3a052c0
ServiceNumber : 0x41
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDuplicateObject
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805bc888
CurrentHandler : 0xf3a031e0
ServiceNumber : 0x44
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwLoadKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80623d7e
CurrentHandler : 0xf3a059c0
ServiceNumber : 0x62
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenFile
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80578f46
CurrentHandler : 0xf39f9ce0
ServiceNumber : 0x74
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenProcess
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805c9c46
CurrentHandler : 0xf3a02f30
ServiceNumber : 0x7a
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenThread
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805c9ed2
CurrentHandler : 0xf3a02d50
ServiceNumber : 0x80
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwReplaceKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80623c2e
CurrentHandler : 0xf3a05cb0
ServiceNumber : 0xc1
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwRequestWaitReplyPort
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a1792
CurrentHandler : 0xf39fcaf0
ServiceNumber : 0xc8
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwRestoreKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80620456
CurrentHandler : 0xf3a05f60
ServiceNumber : 0xcc
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSecureConnectPort
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a2780
CurrentHandler : 0xf39fd000
ServiceNumber : 0xd2
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetInformationFile
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80579dae
CurrentHandler : 0xf39fa000
ServiceNumber : 0xe0
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetValueKey
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8062070e
CurrentHandler : 0xf3a04e47
ServiceNumber : 0xf7
ModuleName : vsdatant.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateProcess
Image Path : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805d116e
CurrentHandler : 0xf3a038d0
ServiceNumber : 0x101
ModuleName : vsdatant.sys
SDTType : 0x0

+----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1049
+----------------------------------------------------

--== Dump Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.

--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

HKEd

Feb 11 2007, 12:13 AM

Sorry for the delay in replying to this, John.

Vsdatant.sys is a ZoneAlarm device driver. I don't see any problem with the log you posted.

john2005

Feb 17 2007, 07:04 PM

Hi HKEd,

Thanks for getting back to me. Glad to hear it looks OK.

John

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.