Rootkit Unhooker

[Rodehard]

Other than the actual error number (Something like 0x00000005c but I will write it down) I cant think of what else I could tell you. Please re read my post for details. Your wearing out the compatibility excuse. I just explained that two of my PCs had no security software installed what so ever. Other than the operating system there is nothing to be incompatible with.

[EP_X0FF]

If you can please post screenshot. It can't be incompatibility with Windows, due to obvious reasons. Internal exception means that something in these systems unexpectedly interrupting work of program.

[controler]

Rodehard


It appears you will get parisite inside itself if you are running IE7.

Do all of your systems have the same video card?

Did you use the same Windows install CD on all 4 computers?

controler

[Rodehard]

Sorry for the delay, busy morning.

Controler - Yes on ie 7 for all machines, no duplicate vidio cards but two are nvidia and two have ATI chips, 3 OEM XP installs and one, um, whatever you call a non OEM OS install, all XP Pro SP2.

EP_X0FF - I can do screen shots if I absolutely have to but for now its more trouble than its worth.
Just dealing with one PC at the moment. This is a P4 2.6 GHZ with 3 gigs RAM. No security software other than....Greenborder, Spywareblaster and First defense-ISR (these are the only, other than OS/ie7, applications all my PCs have in common) Gaming and Win updates only internet access and only one game at that (Massive Assault).

Via task mgr shut down to 21 processes, only system and FDISR files running. RKU starts up get parasite msg : Unk remote thread, thread ID: 2664 Priority:8. This is not a PIN num, how do I locate a thread by number? Ok continue, all looks well, no red entries. Nothing alarming under any tabs. Go to Report tab and select "Scan". Runs for a few minutes and I get an err msg telling me Windows could not start the program a component was not found, re installing application may solve problem. This is the first time I have gotten this error on any of my PCs. It was always the unhandled exception error in the past. If its still installed I will try it on another PC and see what error I get.

Hmmm, OK, I re install RKU (3.01.100.360), reboot and the exact same thing happens except this time the thread id of the parasite is 2956.

So, ie7, FDISR? If its ie7 then you might as well do away with the parasite msg. Otherwise all your doing is yelling fire in a crowded theater. This would make that feature(?) useless as far as Im concerned not to mention what it would do to your market target. Anyway, OK, does this give you any clues?

Just so you know I did not clear temp Dirs or un install RKU prior to the re install.

[EP_X0FF]

Quote:

So, ie7, FDISR? If its ie7 then you might as well do away with the parasite msg. Otherwise all your doing is yelling fire in a crowded theater. This would make that feature(?) useless as far as Im concerned not to mention what it would do to your market target. Anyway, OK, does this give you any clues?

Thats more question to Microsoft, what they did in their IE7 that forces this alarm. If we will start to do compatibility with strange behaviour of browsers/security programs and other "legit" stuff we will be blind.

Awaiting your screenshot, after that we can say you where and what kind of error occured.

[Bubba]

Quote:

Originally Posted by controler

It appears you will get parisite inside itself if you are running IE7.

I now feel confident that is the case considering the only hooks on this XP SP2 is Ghost Security. Even with that totally removed there was still this parasite burp from rku. In my travels this AM I ran across this thread at Sysinternals and since I have been wanting to go to this new hard drive anyway....I experienced the same as poster Saso in that above mentioned thread....virgin XP SP2 and no burp....install IE7 and rku burps

Quote:

Originally Posted by EP_X0FF

We will try to find copy of IE7 to make some tests.

Hopefully when EvilPhantasy and gang finds a copy of IE7 they can play around a bit to see what IE7 is actually doing....even if it's for kicks and grins

[controler]

Hi Bubba

It's not that they need a copy of IE7, they don't have a ligit copy of XP so they can't upgrade to IE7 LOL

EP_XOFF is there anything we can look for to help you out with IE7?

controler

[Rodehard]

Quote:

Originally Posted by EP_X0FF

Thats more question to Microsoft, what they did in their IE7 that forces this alarm. If we will start to do compatibility with strange behavior of browsers/security programs and other "legit" stuff we will be blind.

Awaiting your screenshot, after that we can say you where and what kind of error occurred.

Im sorry, this is like talking to a wall. Since the software cant be expected to be compatible with anything and troubleshooting requires pictures I have lost interest. GMER works, maybe I will try it again.......

[controler]

rodehard

Even if you get the parisite inside itself, You should still be able to run RKU.
I have a Nvidia video card and can run it just fine. Since you have all 4 doing the same thing, I am guessing you have set somw wierd setting that the rest of us don't use. If what you say is true and you have no firewall or other security software running.
Why is it so tough to post a screenshot? All you need is say Screenhunter Free.
It appears you don't have the patience to be using an ARK.

controler

[Rodehard]

Quote:

Originally Posted by controler

rodehard

Even if you get the parisite inside itself, You should still be able to run RKU.
I have a Nvidia video card and can run it just fine. Since you have all 4 doing the same thing, I am guessing you have set somw wierd setting that the rest of us don't use. If what you say is true and you have no firewall or other security software running.
Why is it so tough to post a screenshot? All you need is say Screenhunter Free.
It appears you don't have the patience to be using an ARK.

controler

I mean no offense but it appears no one reads my posts. The parasite warning was just a side issue. What I was seeking advise about was that I couldn't get it to complete a scan on any of four PCs with four different configurations. I have given all the information I have and all information contained in the error messages, screen shots would add nothing to what I have stated.
The fact is that my primary PC is down while I wait for replacement RAM. The PC I was addressing in my posts is strictly for gaming and is not configured with screen capturing software beyond the OS. Im posting from my lap top for now. So as I previously stated screen shots were a PITA at the moment and, again, pointless.

My apologies for my impatience, too many years as a cop and infantry Sergeant have ruined me for polite society Im afraid. In any case, I hope I have not annoyed anyone other than EP_X0FF as my impatience was with him only. I read this forum routinely and have nothing but respect for what you guys do and your efforts in helping others. As for RKU, I will check it out again at some later time perhaps. Wishing everyone has a nice day........

[EP_X0FF]

Quote:

Originally Posted by Rodehard

screen shots would add nothing to what I have stated.

Screenshots will give to us information about address and type of occured error. For me its more interesting / helpful than anything else.

Quote:

Originally Posted by controler

EP_XOFF is there anything we can look for to help you out with IE7?

Thanks, but looks like no. I have one guess, that this remote thread was created from one of updated Microsoft libraries such as advapi32.dll, shell32.dll... It it just a question of time when we will get "normal" copy of IE7 to perform debug.

@Bubba

Your screenshot demonstrates a part of Rootkit Unhooker driver loading procedure - writing driver keys to registry.

[Bubba]

Quote:

Originally Posted by EP_X0FF

@Bubba

Your screenshot demonstrates a part of Rootkit Unhooker driver loading procedure - writing driver keys to registry.

I'm unsure what you are saying

[EP_X0FF]

...Services\rkhdrv31 <- this is registry entry for Rootkit Unhooker driver
imagepath <- path to rkhdrv31.sys driver file

so on this screenshot I see warning about writing these entry to registry

[controler]

If I look at Device Manager , show hidden devices, RKU's driver is listed twice on my machine. Is that normal?

thanks

controler

[EP_X0FF]

Quote:

Originally Posted by controler

If I look at Device Manager , show hidden devices, RKU's driver is listed twice on my machine. Is that normal?

If on this machine was used before RkUnhooker then yes. Previous versions (< 3.01) not completely uninstalls itself. So it is rkhdrv10.sys entry. Currently driver named rkhdrv31.sys. It is safe to manually remove old entry and rkhdrv10.sys that are located in windows\system32\drivers folder.

[controler]

Ok thanks and I see the driver doesn't actualy show up in device manager untill I run a file scan after install. It seems removing the driver in device manager also removes the SYS file ;-)


controler

[controler]

The only other error I get in event viewer is by service control mamager.

[controler]

Ok sorry I just figured out I get this DCOM error because I have my MS instant messenger DIR renamed so it won't start up every time I open Outlook Express

Sorry

[controler]

EP_XOFF

Quote:

If on this machine was used before RkUnhooker then yes. Previous versions (< 3.01) not completely uninstalls itself. So it is rkhdrv10.sys entry. Currently driver named rkhdrv31.sys. It is safe to manually remove old entry and rkhdrv10.sys that are located in windows\system32\drivers folder.

Even though I have the driver listed in device manager, I can not find any instance of rkh*.SYS file on my machine. Is this a hidden file?

controler

[yankinNcrankin]

Open regedit.exe, edit, find, then type rkhdrv31 make sure match whole string only is not ticked, then press find next. If you need to delete driver right click on the Legacy_RKHDRV31 folder Everyone should be highlighted, tick allow for Full Control then apply now you can delete entire folder. Repeat cause theres another entry of the driver but this one you dont need to allow Full Control you can just delete the folder. I think if your OS is home edition you may not be able to access Permissions in the regedit then you may have to do it some other way.



To EP_X0FF- I like that inside joke of yours about the MATRIX "knock knock" interesting enough I did find the hidden PID it created though upon closing your program. Hope I dont have to worry about anything Im sure it was a function strictly for closing RKU.

[controler]

yankinNcrankin


Thank you

I tried your suggestion and don't get any hits in registry for rkhdrv31
As I do not find any SYS file for RKU in my Sys 32 folder.

controler

[yankinNcrankin]

Did you also search for earlier driver of the program rkhdrv10?

Run RKU program again and try doing a hidden files scan, thats when the driver will load. Im sure you'll find it then.

[controler]

I tried looking for the driver while scanning before I posted. It never shows on my system. Am I missing something here?
I did a search of RKH*.* even while the scan was running and never see it on my system.
EP_XOFF said all I had to do was delete the old drivewr in Sys32. I never see any of them period.
If they are there , they are hidden from my system.

controler

[EP_X0FF]

@controler

you should use "look inside system directories and hidden files" search options, because rkhdrv10.sys/rkhdrv31.sys have file attribute "hidden"

@yankinNcrankin

this PID has left after service executable was terminated (Hidden Files Scan)

[yankinNcrankin]

"this PID has left after service executable was terminated (Hidden Files Scan)" glad to know, for a second I thought I was about to experience something Virtual its cool that it randomly renames itself I dont always get the Matrix knock knock sometimes another PID with no name at all totally unknown, very cool