ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2010/08/26 17:23
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A4F000	Size: 1664	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\windows\system32\drivers\rootrepeal.sys
Address: 0xB1CE0000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7991000	Size: 5248	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 025	Function Name: NtClose
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d618

#: 037	Function Name: NtCreateFile
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417ec5c

#: 041	Function Name: NtCreateKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d4d4

#: 047	Function Name: NtCreateProcess
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417e031

#: 048	Function Name: NtCreateProcessEx
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417deae

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb833e42c

#: 062	Function Name: NtDeleteFile
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417f4b5

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xb833e43b

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d9b2

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d0ac

#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\windows\system32\drivers\khips.sys" at address 0xb3fcf8b0

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb833e44a

#: 108	Function Name: NtMapViewOfSection
Status: Hooked by "C:\windows\system32\drivers\khips.sys" at address 0xb3fcfa20

#: 116	Function Name: NtOpenFile
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417ef27

#: 119	Function Name: NtOpenKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d5ae

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7cfec

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d050

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d6ce

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb833e454

#: 204	Function Name: NtRestoreKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d68e

#: 206	Function Name: NtResumeThread
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417e71f

#: 224	Function Name: NtSetInformationFile
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417f229

#: 247	Function Name: NtSetValueKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb3e7d80e

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xb833e427

#: 274	Function Name: NtWriteFile
Status: Hooked by "C:\windows\system32\drivers\fwdrv.sys" at address 0xb417f186

Stealth Objects
-------------------
Object: Hidden Code [Driver: prodrv06ȅఆ剒敬鯠, IRP_MJ_CREATE]
Process: System	Address: 0xe1e5b420	Size: 1404

Object: Hidden Code [Driver: prodrv06ȅఆ剒敬鯠, IRP_MJ_CLOSE]
Process: System	Address: 0xe1e5b420	Size: 1404

Object: Hidden Code [Driver: prodrv06ȅఆ剒敬鯠, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0xe1e5b420	Size: 1404

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System	Address: 0xe1a38508	Size: 887

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System	Address: 0xe1a38508	Size: 887

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0xe1a38508	Size: 887

==EOF==