ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/10/16 11:06 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB58D6000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBADF2000 Size: 8192 File Visible: No Signed: - Status: - Name: PROCEXP113.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Address: 0xBAE3E000 Size: 7872 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAFC4A000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44325e0 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44322ce #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb5c3d6b8 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432310 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44323be #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb5c3d574 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432c66 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432cf2 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432d82 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb443240e #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb5c3da52 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432450 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432494 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44324d6 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb5c3d08c #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432518 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb443255a #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432628 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb5c3d76e #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb443259c #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb443266a #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44326b2 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432742 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44326f4 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44327e6 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4432828 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb5cfa0b0 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb44328b8 ==EOF==