ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/10/16 04:15
Program Version:		Version 1.3.5.0
Windows Version:		Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x9375C000	Size: 32768	File Visible: No	Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x93751000	Size: 45056	File Visible: No	Signed: -
Status: -

Name: rootrepeal1.sys
Image Path: C:\Windows\system32\drivers\rootrepeal1.sys
Address: 0xA65DC000	Size: 49152	File Visible: No	Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4	Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1220	Status: Locked to the Windows API!

SSDT
-------------------
#: 064	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa34affa0

#: 072	Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0xa34af1e0

#: 073	Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0xa34af4a0

#: 078	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa34b0e00

#: 123	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa34b0520

#: 126	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa34b07e0

#: 165	Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0xa34b1140

#: 194	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa34afa20

#: 324	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa34b0260

#: 334	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa34afce0

#: 358	Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xa34b0c60

#: 382	Function Name: NtCreateThreadEx
Status: Hooked by "<unknown>" at address 0xa34b0fa0

#: 383	Function Name: NtCreateUserProcess
Status: Hooked by "<unknown>" at address 0xa34af760

==EOF==