first time using rootrepeal questions

hey, this is my first post and i have a question about rootrepeal, i scanned everything tab by tab and i only have hooked/hidden files in the SSDT section and Files Section. can anyone inform me if these are rootkits or just false positives. here are the logs to the SSDT tab and Files tab. (sorry i didnt do a full report log but nothing else showed up except for these 2 tabs.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 17:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\wbem\Logs\wbemess.log
Status: Size mismatch (API: 8064, Raw: 7104)

Path: H:\System Volume Information\_restore{C22E1048-725E-4AD2-83D8-8E4B7702AB3D}\RP730\CHANGE.LOG
Status: Allocation size mismatch (API: 16384, Raw: 4096)





ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 17:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

 

By what you've posted everything is fine with the log. You probably had those two entries because of system activity - both are Windows log files, Windows Management Instrumentation and System Restore.

 

oh ok thx for replying but the funny thing is that the SSDT hooked entries show up as hooked/red and unknown in the root repeal program but in the log it says its unhooked? are these just false positives?

 

Yes, I can see you have nothing hooked. So which ones are red entries in the program?

 

Perhaps you could post a full log and report the problem your having here to the developer a_d_13.

 

the SSDT log shows that its not hooked but in root repeal it shows up as hooked/highlighted in red

 

posted just before you above.

 

hahaha yea right when i posted i saw your reply but ill try the forum u told me

 

hey meriadoc i did a recan but with the report tab of root reveal and now it shows the 12 red/hooked ssdt entries as it should here is the log. are these rootkits?

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 18:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF43DA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B6C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7D23000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8CD3000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7d285e6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7d285dc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7d285eb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7d285f5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7d285fa

#: 119 Function Name: NtOpenKey
Status: Hooked by "TfSysMon.sys" at address 0xf7690f68

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7d285c8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7d285cd

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7d28604

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7d285ff

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7d285f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7d285d7

==EOF==

 

Drivers are okay, mchInjDrv.sys driver is used in a lot of good software but has been flagged by av 'because used by bad programs,' but is fp.

TfSysMon.sys I think is Threatfire? What antimalware do you use? Looks like someone is lazy and not name their hooks.

edit : before using antirootkit disable antimalware - I would go as far as uninstall it and stop all progarms.

 

yes i know that the tfmonsys is threatfire since i use that, but i dont know why the other ones show unknown? oh and meria were u calling me lazy? lol

 

No lol .

I thought there were more theatfire hooks. What other protection do you use? Any emulation software?

 

Folks,

The Wilders site is not in the business of analyzing diagnostic logs. If you have a diagnostic log to get analyzed, please go to a site focused on that type of activity. This type of analysis is oftentimes subtle, miscues can result is substantial problems, and is therefore best entrusted to experiences hands.

With that..., thread closed.

Regards,

Blue