ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2011/02/05 23:48
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB250A000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F6000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1F50000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RootRepeal report 02-05-11 (23-48-01).txt
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 019	Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1610

#: 057	Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1c10

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1730

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e14b0

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1570

#: 137	Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e16d0

#: 180	Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1790

#: 213	Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1690

#: 229	Function Name: NtSetInformationThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1650

#: 237	Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e17d0

#: 253	Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1510

#: 254	Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1590

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e14d0

#: 258	Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e15d0

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xb27e1750

==EOF==