ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2010/08/12 14:40
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA08C000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Bartek\Pulpit\OTL.Txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Bartek\Dane aplikacji\Mozilla\Firefox\Profiles\jicyr2ag.default\OTL.Txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Bartek\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\jicyr2ag.default\urlclassifier3.sqlite-journal
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 019	Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec610

#: 057	Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ecc10

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec730

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec4b0

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec570

#: 137	Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec6d0

#: 213	Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec690

#: 229	Function Name: NtSetInformationThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec650

#: 237	Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec7d0

#: 253	Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec510

#: 254	Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec590

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec4d0

#: 258	Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec5d0

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xad3ec750

==EOF==