ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/07/25 20:41 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB646A000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7AAE000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB5B5D000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\programme\logitech\desktop messenger\8876480\users\king of bongo\data\10aa\userprof.bak Status: Size mismatch (API: 892, Raw: 891) Path: c:\programme\logitech\desktop messenger\8876480\users\king of bongo\data\10aa\userprof.dat Status: Size mismatch (API: 892, Raw: 891) Path: c:\programme\logitech\desktop messenger\8876480\users\king of bongo\data\65fd\userprof.bak Status: Size mismatch (API: 842, Raw: 841) Path: c:\programme\logitech\desktop messenger\8876480\users\king of bongo\data\65fd\userprof.dat Status: Size mismatch (API: 842, Raw: 841) Path: c:\programme\logitech\desktop messenger\8876480\users\king of bongo\data\7e1\userprof.bak Status: Size mismatch (API: 1065, Raw: 1064) Path: c:\programme\logitech\desktop messenger\8876480\users\king of bongo\data\7e1\userprof.dat Status: Size mismatch (API: 1065, Raw: 1064) SSDT ------------------- #: 053 Function Name: NtCreateThread Status: Hooked by "" at address 0xf7b75204 #: 122 Function Name: NtOpenProcess Status: Hooked by "" at address 0xf7b751f0 #: 128 Function Name: NtOpenThread Status: Hooked by "" at address 0xf7b751f5 #: 257 Function Name: NtTerminateProcess Status: Hooked by "" at address 0xf7b751ff #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "" at address 0xf7b751fa ==EOF==