Rootkit Unhooker

Re: RkUnhooker RC3 released

Does RKUnhooker run resident or is it an ondemand scanner? Also, when setting it up do you copy the program to its own directory on C-drive?

 

Re: RkUnhooker RC3 released

It is ondemand rootkit scanner/remover. There are three parts of RkUnhooker

- main executable (contains compressed driver and service application)
- driver (located in windows\system32\drivers)
- service executable (extracted only for Hidden Files Scan, then deleted).

 

Re: RkUnhooker RC3 released

Well, the thing of RKU that impress me most is its stability. I don´t have the necessary knowledge to talk about its detection abilities, but RKU it´s a tool that never gave me BSODs.

 

Re: RkUnhooker RC3 released

Thanks. I have Gmer and RKRevealer on my computer now. Do I have to uninstall these first before running RKUnhooker. I read some of the previous posts, or can I leave these.

 

Re: RkUnhooker RC3 released

You can leave all of your tools. Just do not start GMER and RkU together in one Windows session.

 

Re: RkUnhooker RC3 released

Thanks for the response.

 

Re: RkUnhooker RC3 released

Hi, folks: D/L and inst went ok w/o any clitch. Then comes w/ program execution, upon opening the program, a small window-information-failed to enable debug previlege, not critcal issue, I click OK. Then followed ,a warning window-Integrity Checking- the program has detected parasite inside itself, type: unknown remote thread; Thread ID:3376; Priority:8
If I click OK, program proceeds w/o problem. But if click Cancel, another warning window appears; integrity corrupted, and then BSOD. My hope vanished as a result, Now I do wish that someone can bring back my HOPE.

 

Re: RkUnhooker RC3 released

Disable your real-time protection programs. Also any Rootkit Detection software is not intended to be runned with Host Intrusion Prevention Systems.

 

Re: RkUnhooker RC3 released

EP_X0FF just wanted to say that RkU RC3 is an awesome program very stable on my system Plays very well with Prevx1 and Cyberhawk

http://i113.photobucket.com/albums/n218/yankinNcrankin/th_Capture.jpg

Could you please tell me about the Virtual machine thing is my number ok ?

 

Re: RkUnhooker RC3 released

Usually numbers < 64 is normal. But in your case if your CPU is Intel with HT it is very good number for it.

 

Re: RkUnhooker RC3 released

Very nice program.I wish I could understand better what it is telling me,lol.The best I can say is I have a Intel HT cpu and have a 81 reading.

 

Re: RkUnhooker RC3 released

If you have any problems with interpretation of your log, post it and we will help.

 

Re: RkUnhooker RC3 released

I thank you for that statement.

 

Re: RkUnhooker RC3 released

Hi,

I decided to install it on my real system ( I hope my system isn´t "owned" now ) but I noticed that it performed (GUI drawing) a bit faster on my virtual machine with the same security tools installed. How is this possible? Also, how come that when you install the tool with Sandboxie, you will get to see other/more files in the RkUnhooker folder? Btw, you might want to fix the GUI so that column-size and sorting will be remembered.

 

Re: RkUnhooker RC3 released

I tried it out last nite and it is stable with the latest versions of Comodo, SSM and PG.

 

Re: RkUnhooker RC3 released

And should remain that way.

Been following this engenious creation from the moment of it's first public howbeit beta inception/release and nothing even comes close to matching it's abilities. The authors\developers are extremely forthright and firm in their determination to continue to advance this uniquely stable RK detector/destroyer program which as it turns out is tremendously helpful, just as they are in returning responses asked of them.

 

Re: RkUnhooker RC3 released

Hello,

First, very good and effective tool, EP, but ....

A serious question:

How does an average computer user distinguish between 'good' and 'bad' items and make good and effective use of your tool.

I installed Windows XP from scratch.
Tried your tool.

Don't remember exact code right now... so sorry for inaccuracy, will post later if you are interested.

Report: various files are flagged as open for another user ...
> Possible rootkit activity detected.

These files are various files like desktop.ini and other semi-hidden files, mainly in and around local settings and user settings. Nothing special. BUT ... how does an average guy tell them for legit files and does not suspect being rooted.

Another item that pops to mind is ewido guard. It is a hidden system driver. Then, various firewall drivers ...

So, what to do? If a user is smart enough to use your tools, he probably does not need it. On the other hand, people in doubt, what should they do?

Cheers,
Mrk

 

Re: RkUnhooker RC3 released

Hello,

It's impossible to filter legit rootkit-like application from malware. This tool intended for rootkit searching and destroying not for heur-based analysis of rootkit-stuff. Any firewall that hooks something in ndis.sys or wanarp.sys automatically becomes rootkit-like. To filter all this security stuff it is needed to create huge database that will quickly updates. We simple do not want to do that because:
- we don't have such resources
- such bases can be easy compromised

"Opened for exclusive access by System or other app..."
Blocked from access means that they cannot be opened by user/system, because they are locked (opened for exclusive access). How we can filter this if, for example, malware rootkit will attach itself to smss.exe ADS and lock it, we can't simple ignore blocked files. But everytime in scan also will be listed registry hives (because they are locked), pagefile.sys
We do not want to go to compromise, because after this rootkits will win.
Yes, this program is not for dummies, if you have rootkit even if you really smart sometimes it is very hard to get rid of it.

 

Re: RkUnhooker RC3 released

Hello,
Maybe... just maybe ...
Try to associate between blocked files, registry entries and running processes.
Make a deeper connection that just a general observation - attack the problem from several angles.
I hope I'm not talking out of my ass.
Mrk

 

Re: RkUnhooker RC3 released

We are more concentrating on detection methods than on behaviour analysis, but anyway thank you for your suggestions

 

Re: RkUnhooker RC3 released

No comments on post nr 114?

 

Re: RkUnhooker RC3 released

"it performed (GUI drawing) a bit faster on my virtual machine with the same security tools installed"
i guess there's less to scan?

"how come that when you install the tool with Sandboxie, you will get to see other/more files in the RkUnhooker folder?"
probably something to do with hooks etc., in the sandbox, it's not hooked lol

"( I hope my system isn´t "owned" now )"
even though it was a joke and i get it, he probably didn't take it very well , which i also understand

 

Re: RkUnhooker RC3 released

Well my apologies but I´m a paranoid guy.

 

Re: RkUnhooker RC3 released

It just wont work for me. I have installed RKU on 4 PCs with no success. RKU installs ok and even starts up and I see listed hooks but if I run any of the scans I get an unhandled exception error and the program exits. This is much improved as it used to lock up or BSOD during a scan. Anyway, I get exactly the same scenario on all 4 PCs two of which (Games) have no security software even installed. KIS on one and AntiVir Pro on one and, oh yes, SSM on one of the game PCs. In all cases I terminate any running programs to include their process via Task Mgr leaving only necessary system processes. All XP Pro SP2 all updates. One PC is only a week old and I built it with all new hardware.

Same thing every time and every PC: RKU announces it has detected a running process within itself and terminates it, continues on and I then see listed items under each tab except "Report" and "Hidden Files" I can look around all I want but if I hit the "Scan" Button under any tab or if I click the "Report" Button I get the unhandled exception error after a few minutes and RKU goes mammary up. Im, of course, befuddled as to why I cant get your program to run properly on any of 4 PCs. Im also curious as to why it seems to always find a hidden process within itself to shut down. Just creating healthy paranoia?

Ideas?

 

Re: RkUnhooker RC3 released

In first when talking about exceptions better will be post some information about them, so we can decide was it our fault, or it was forced by some reasons.

In some ways disabling security software from their interface is not enough, because their drivers, hooks and libraries still working even in disabled state. We can't add compatibility with all security combos that can be on users computers.

It is not hidden. It is unaccessible from User Mode. There are big difference between "Hidden From Windows API" and "Unaccessible from User Mode". Program can be not hidden, but any others program can't open it for access.