ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2011/08/14 09:51
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5836000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A52000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3827000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\schedlgu.txt
Status: Allocation size mismatch (API: 24576, Raw: 20480)

SSDT
-------------------
#: 025	Function Name: NtClose
Status: Hooked by "<unknown>" at address 0xf7c23bb4

#: 041	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7c23b6e

#: 050	Function Name: NtCreateSection
Status: Hooked by "<unknown>" at address 0xf7c23bbe

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7c23b64

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7c23b73

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7c23b7d

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0xf7c23baf

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7c23b82

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7c23b50

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7c23b55

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7c23b8c

#: 204	Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7c23b87

#: 213	Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0xf7c23bc3

#: 247	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7c23b78

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7c23b5f

Shadow SSDT
-------------------
#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0xf7c23bc8

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0xf7c23bcd

==EOF==