Rkunhooker infected?!?

The new tool RKUnhooker shows very unusual messages. Beside I also made screens of what ssm told about low level manipulation of rkunhooker.

http://i14.tinypic.com/2rrny4o.png

http://i13.tinypic.com/2hwhgro.png

http://i13.tinypic.com/478lycg.png

Last but not least a short statement of gmer.

http://i13.tinypic.com/47b20s4.png

 

Probably safemon is the reason for RkUnhookers alert, RkUnhooker is well protected (no dlls, no threads to see) but I could gain access to the stack information and I found this:

http://i13.tinypic.com/4ghdta0.png

Beside I allowed the low level access that you can see above. Sorry for the paranoia in this case.

I was a bit too fast.. I found out that the gmer thread(00270000) is the low level access of RKUnhooker.

So nothing to worry I guess.

 

The moment I try to launch Rootkit Unhooker, my system restarts!
It just crashes my system directly.

 

What kind of security software do you have installed additionally?

Maybe we can find the incompatibility hook.

One problem I also saw by using Raide Beta is the thing when you try to unhook everything in your system that in about 70% your system receive a BSOD. But I think it´s quite common phenomenon and usual, due to ring0 structure I guess.

 

This reaktion of RkU is absolute normal in the case you have a security software installed, which loads a dll, exe, sys (syssafe.exe from SSM) file which is not accessable from user moder, etc. RkU intrepretes this behaviour a a possible parasite. I talked to the developer of RkU some weeks ago and he will solve those behaviour with 'known' security applications.

Regarding the reaction of SSM you have to allow RkU low level access to detect hidden processes.

 

Great to know! Thanks!

 

Good point! I rooted myself earlier and was interested also about that prompt, but RKunhooker continued on uninhibited anyway and striked down the hooking code to surface the ghosts i let in.

 

/OT
I deinstalled Rku because of the undiscasable behaviour of it's developer. Such and a....e i can't and won't support.
If somebody is interested in his behaviour read the last 3 pages of following thread
/OT off

 

Yes good point Tommy as I have been following that forum for quite some time now I have added my on little ? and I wanna see if any one in there especially "him" can answer...
but if he cant or they cant then as I said earlier its all proof of concept....http://forum.sysinternals.com/forum_posts.asp?TID=7003&PN=1&TPN=81

 

Yes indeed, beside I recently analyzed the most commercial low level thing I actually saw.. PC Activity Mon. 7.5 Pro, with filemon you can see how a typical behaviour of such superstealth stuff looks.

I will open a new thread here concerning this.