ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/26 23:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7952000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE26000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB42D8000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBAC98000 Size: 24576 File Visible: No Signed: -
Status: -
Name: SASKUTIL.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xB7ACD000 Size: 139264 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\microsoft operations manager\momservice(b).mc8
Status: Size mismatch (API: 71745, Raw: 68535)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000gg.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002s.msg
Status: Allocation size mismatch (API: 61440, Raw: 57344)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\000001cs.msg
Status: Allocation size mismatch (API: 32768, Raw: 20480)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_mp_hinvendpoint\0000002b.msg
Status: Allocation size mismatch (API: 65536, Raw: 61440)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_statusreceiver\00000032.msg
Status: Allocation size mismatch (API: 90112, Raw: 73728)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_locationmanager\0000006w.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\000001cc.msg
Status: Allocation size mismatch (API: 73728, Raw: 57344)
Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!
Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!
SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xb7ad7620
Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: MsMpEng.exe (PID: 1944) Address: 0xe4636818 Size: -
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe233b818 Size: -
Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe2e36020 Size: -
Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe5037020 Size: -
Object: Hidden Handle [Index: 8196, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe4fe5020 Size: -
==EOF==