Any thoughts on this please?

>SSDT State
NtClose
Actual Address 0xF7C82514
Hooked by: sbhr.sys

NtCreateKey
Actual Address 0xF7C82552
Hooked by: sbhr.sys

NtOpenKey
Actual Address 0xF7C824D0
Hooked by: sbhr.sys

NtSetValueKey
Actual Address 0xF7C825A2
Hooked by: sbhr.sys

>Shadow
>Processes
>Drivers
>Stealth
>Files
>Hooks
ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump at address 0x804DCB22 hook handler located in [ntoskrnl.exe]
[1124]pwsafe.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[1320]razertra.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[1324]PowerMenu.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[1936]speedfan.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[2140]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[2188]CToolbar.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[2260]CMail.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[2984]Opera.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[2988]PopTray.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3020]RootkitRevealer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3024]razerofa.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3372]nod32kui.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3404]winampa.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3420]CTSysVol.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3532]razerhid.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3732]SBCSTray.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
[3752]StartKiller.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [raphook.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


TIA



TOG

Normal. No rootkit. sbhr.sys is part of Sunbelt's CounterSpy, raphook.dll is part of the ATI video driver set, and shimeng.dll is a Microsoft system file.

Thanks.



TOG

FYI, RkU is no longer being supported, and has been withdrawn by its author. I would suggest not using it any longer.

Just out of interest, what's the first Hooks entry (ntoskrnl.exe)?



TOG

It is a critical Microsoft file considered to be one of the core operating system files, also known collectively as the "kernel", which handles a number of basic and critical functions for the operating system.