Rootkit Unhooker

Discussion in 'other anti-malware software' started by Z0mBiE, Dec 11, 2006.

Thread Status:
Not open for further replies.
  1. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    Re: RkUnhooker RC3 released

    Other than the actual error number (Something like 0x00000005c but I will write it down) I cant think of what else I could tell you. Please re read my post for details. Your wearing out the compatibility excuse. I just explained that two of my PCs had no security software installed what so ever. Other than the operating system there is nothing to be incompatible with.
     
  2. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    If you can please post screenshot. It can't be incompatibility with Windows, due to obvious reasons. Internal exception means that something in these systems unexpectedly interrupting work of program.
     
  3. controler

    controler Guest

    Re: RkUnhooker RC3 released

    Rodehard


    It appears you will get parisite inside itself if you are running IE7.

    Do all of your systems have the same video card?

    Did you use the same Windows install CD on all 4 computers?

    controler
     
  4. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    Re: RkUnhooker RC3 released

    Sorry for the delay, busy morning.

    Controler - Yes on ie 7 for all machines, no duplicate vidio cards but two are nvidia and two have ATI chips, 3 OEM XP installs and one, um, whatever you call a non OEM OS install, all XP Pro SP2.

    EP_X0FF - I can do screen shots if I absolutely have to but for now its more trouble than its worth.
    Just dealing with one PC at the moment. This is a P4 2.6 GHZ with 3 gigs RAM. No security software other than....Greenborder, Spywareblaster and First defense-ISR (these are the only, other than OS/ie7, applications all my PCs have in common) Gaming and Win updates only internet access and only one game at that (Massive Assault).

    Via task mgr shut down to 21 processes, only system and FDISR files running. RKU starts up get parasite msg : Unk remote thread, thread ID: 2664 Priority:8. This is not a PIN num, how do I locate a thread by number? Ok continue, all looks well, no red entries. Nothing alarming under any tabs. Go to Report tab and select "Scan". Runs for a few minutes and I get an err msg telling me Windows could not start the program a component was not found, re installing application may solve problem. This is the first time I have gotten this error on any of my PCs. It was always the unhandled exception error in the past. If its still installed I will try it on another PC and see what error I get.

    Hmmm, OK, I re install RKU (3.01.100.360), reboot and the exact same thing happens except this time the thread id of the parasite is 2956.

    So, ie7, FDISR? If its ie7 then you might as well do away with the parasite msg. Otherwise all your doing is yelling fire in a crowded theater. This would make that feature(?) useless as far as Im concerned not to mention what it would do to your market target. Anyway, OK, does this give you any clues?

    Just so you know I did not clear temp Dirs or un install RKU prior to the re install.
     
  5. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    Thats more question to Microsoft, what they did in their IE7 that forces this alarm. If we will start to do compatibility with strange behaviour of browsers/security programs and other "legit" stuff we will be blind.

    Awaiting your screenshot, after that we can say you where and what kind of error occured.
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: RkUnhooker RC3 released

    I now feel confident that is the case considering the only hooks on this XP SP2 is Ghost Security. Even with that totally removed there was still this parasite burp from rku. In my travels this AM I ran across this thread at Sysinternals and since I have been wanting to go to this new hard drive anyway....I experienced the same as poster Saso in that above mentioned thread....virgin XP SP2 and no burp....install IE7 and rku burps :eek:

    Hopefully when EvilPhantasy and gang finds a copy of IE7 they can play around a bit to see what IE7 is actually doing....even if it's for kicks and grins :D
     

    Attached Files:

  7. controler

    controler Guest

    Re: RkUnhooker RC3 released

    Hi Bubba

    It's not that they need a copy of IE7, they don't have a ligit copy of XP so they can't upgrade to IE7 LOL

    EP_XOFF is there anything we can look for to help you out with IE7?

    controler
     
  8. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    Re: RkUnhooker RC3 released

    Im sorry, this is like talking to a wall. Since the software cant be expected to be compatible with anything and troubleshooting requires pictures I have lost interest. GMER works, maybe I will try it again.......
     
  9. controler

    controler Guest

    Re: RkUnhooker RC3 released

    rodehard

    Even if you get the parisite inside itself, You should still be able to run RKU.
    I have a Nvidia video card and can run it just fine. Since you have all 4 doing the same thing, I am guessing you have set somw wierd setting that the rest of us don't use. If what you say is true and you have no firewall or other security software running.
    Why is it so tough to post a screenshot? All you need is say Screenhunter Free.
    It appears you don't have the patience to be using an ARK.

    controler
     
  10. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    Re: RkUnhooker RC3 released

    I mean no offense but it appears no one reads my posts. The parasite warning was just a side issue. What I was seeking advise about was that I couldn't get it to complete a scan on any of four PCs with four different configurations. I have given all the information I have and all information contained in the error messages, screen shots would add nothing to what I have stated.
    The fact is that my primary PC is down while I wait for replacement RAM. The PC I was addressing in my posts is strictly for gaming and is not configured with screen capturing software beyond the OS. Im posting from my lap top for now. So as I previously stated screen shots were a PITA at the moment and, again, pointless.

    My apologies for my impatience, too many years as a cop and infantry Sergeant have ruined me for polite society Im afraid. In any case, I hope I have not annoyed anyone other than EP_X0FF as my impatience was with him only. I read this forum routinely and have nothing but respect for what you guys do and your efforts in helping others. As for RKU, I will check it out again at some later time perhaps. Wishing everyone has a nice day........
     
  11. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    Screenshots will give to us information about address and type of occured error. For me its more interesting / helpful than anything else.

    Thanks, but looks like no. I have one guess, that this remote thread was created from one of updated Microsoft libraries such as advapi32.dll, shell32.dll... It it just a question of time when we will get "normal" copy of IE7 to perform debug.

    @Bubba

    Your screenshot demonstrates a part of Rootkit Unhooker driver loading procedure - writing driver keys to registry.
     
    Last edited: Jan 25, 2007
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: RkUnhooker RC3 released

    I'm unsure what you are saying :doubt:
     
  13. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    ...Services\rkhdrv31 <- this is registry entry for Rootkit Unhooker driver
    imagepath <- path to rkhdrv31.sys driver file

    so on this screenshot I see warning about writing these entry to registry :)
     
  14. controler

    controler Guest

    Re: RkUnhooker RC3 released

    If I look at Device Manager , show hidden devices, RKU's driver is listed twice on my machine. Is that normal?

    thanks

    controler
     
  15. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    If on this machine was used before RkUnhooker then yes. Previous versions (< 3.01) not completely uninstalls itself. So it is rkhdrv10.sys entry. Currently driver named rkhdrv31.sys. It is safe to manually remove old entry and rkhdrv10.sys that are located in windows\system32\drivers folder.
     
  16. controler

    controler Guest

    Re: RkUnhooker RC3 released

    Ok thanks and I see the driver doesn't actualy show up in device manager untill I run a file scan after install. It seems removing the driver in device manager also removes the SYS file ;-)


    controler
     
  17. controler

    controler Guest

    Re: RkUnhooker RC3 released

    The only other error I get in event viewer is by service control mamager.
     

    Attached Files:

  18. controler

    controler Guest

    Re: RkUnhooker RC3 released

    Ok sorry I just figured out I get this DCOM error because I have my MS instant messenger DIR renamed so it won't start up every time I open Outlook Express

    Sorry
     
  19. controler

    controler Guest

    Re: RkUnhooker RC3 released

    EP_XOFF

    Even though I have the driver listed in device manager, I can not find any instance of rkh*.SYS file on my machine. Is this a hidden file?

    controler
     
  20. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Re: RkUnhooker RC3 released

    Open regedit.exe, edit, find, then type rkhdrv31 make sure match whole string only is not ticked, then press find next. If you need to delete driver right click on the Legacy_RKHDRV31 folder Everyone should be highlighted, tick allow for Full Control then apply now you can delete entire folder. Repeat cause theres another entry of the driver but this one you dont need to allow Full Control you can just delete the folder. I think if your OS is home edition you may not be able to access Permissions in the regedit then you may have to do it some other way.



    To EP_X0FF- I like that inside joke of yours about the MATRIX "knock knock" :D interesting enough I did find the hidden PID it created though :-* upon closing your program. Hope I dont have to worry about anything :p Im sure it was a function strictly for closing RKU. :thumb:
     

    Attached Files:

    • fix.PNG
      fix.PNG
      File size:
      122.2 KB
      Views:
      7
    Last edited: Jan 25, 2007
  21. controler

    controler Guest

    Re: RkUnhooker RC3 released

    yankinNcrankin


    Thank you

    I tried your suggestion and don't get any hits in registry for rkhdrv31
    As I do not find any SYS file for RKU in my Sys 32 folder.

    controler
     
  22. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Re: RkUnhooker RC3 released

    Did you also search for earlier driver of the program rkhdrv10?

    Run RKU program again and try doing a hidden files scan, thats when the driver will load. Im sure you'll find it then. :)
     
  23. controler

    controler Guest

    Re: RkUnhooker RC3 released

    I tried looking for the driver while scanning before I posted. It never shows on my system. Am I missing something here?
    I did a search of RKH*.* even while the scan was running and never see it on my system.
    EP_XOFF said all I had to do was delete the old drivewr in Sys32. I never see any of them period.
    If they are there , they are hidden from my system.

    controler
     
  24. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    @controler

    you should use "look inside system directories and hidden files" search options, because rkhdrv10.sys/rkhdrv31.sys have file attribute "hidden"

    @yankinNcrankin

    this PID has left after service executable was terminated (Hidden Files Scan)
     
  25. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Re: RkUnhooker RC3 released

    "this PID has left after service executable was terminated (Hidden Files Scan)" glad to know, for a second I thought I was about to experience something Virtual :D its cool that it randomly renames itself I dont always get the Matrix knock knock sometimes another PID with no name at all totally unknown, very cool :D :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.