ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/09/15 20:27
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE096000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A67000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xB7096000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF733E000	Size: 323584	File Visible: No	Signed: -
Status: -

SSDT
-------------------
#: 012	Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8663a260

#: 013	Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8665be00

#: 017	Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8602cfc0

#: 019	Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8644b550

#: 031	Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x860ad9f8

#: 041	Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf6cb0130

#: 043	Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x863c9200

#: 047	Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86b6cf30

#: 048	Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x86b6ceb8

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x85f36c20

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x865e4528

#: 057	Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8644b3d8

#: 063	Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf6cb03b0

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf6cb0910

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x863bce00

#: 083	Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86025160

#: 089	Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8663d8b8

#: 091	Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8664dab0

#: 097	Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8608b230

#: 108	Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x865fae30

#: 114	Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86637670

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x863abbe8

#: 123	Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x867340a0

#: 125	Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8644b198

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x863c2478

#: 137	Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85e90e40

#: 180	Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x86b6ca80

#: 186	Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x86b6c918

#: 192	Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x86b7f500

#: 206	Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8642b400

#: 213	Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86674d08

#: 226	Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x86b7f488

#: 228	Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86a1b0e0

#: 229	Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86b6cbe8

#: 240	Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8644b0c0

#: 247	Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf6cb0b60

#: 253	Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8644ac78

#: 254	Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86642238

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86734b58

#: 258	Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86649158

#: 267	Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x866921a0

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x863ae340

==EOF==