Another new anti Rootkit and hook analyzer

Discussion in 'other anti-trojan software' started by tuatara, Nov 14, 2005.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
  2. dog

    dog Guest

    Interesting Program :) Thanks ;)
     

    Attached Files:

  3. mata7

    mata7 Registered Member

    Joined:
    Nov 8, 2005
    Posts:
    635
    Location:
    Mississauga, Canada
    all this are Rootkit on you system?

    if they are can you please explain me how you remove that cause in my system show like 6 red like yours

    thanks
     
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    1: No these are NOT all rootkits or malware or unwanted software
    so be carefull with removing them.

    2: This tool ONLY shows which programs use these kind of kernel hooks
    this can be malware but Anti-malware as well.

    3: If you are not sure please write here what is in those 6 lines,
    perhaps we can identify them.
     
  5. mata7

    mata7 Registered Member

    Joined:
    Nov 8, 2005
    Posts:
    635
    Location:
    Mississauga, Canada
    thanks i got more the 6 now
     

    Attached Files:

  6. RipVanTinkle

    RipVanTinkle Registered Member

    Joined:
    Oct 20, 2005
    Posts:
    102
    Thanx for the heads-up :)

    D347bus.sys is used by Daemon Tools among others, as far as I'm aware
     
  7. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Hi Mata7,

    The lines regarding Kaspersky seems oke for me,
    i see the same lines here on one of the pc's where i am running KIS2006Beta, as a matter of fact i in fact see more lines on that pc.

    The other ones regarding D347bus.sys , i am not sure,
    but concidering the fact that you are running Kaspersky
    i asume it is ok as well (95% change) read this:

    d347bus.sys file information

    The process PnP BIOS Extension belongs to the software unknown by unknown. Description: File d347bus.sys is located in the folder C:\Windows\System32\drivers. The file size on Windows XP is 155136 bytes.
    The driver can be started or stopped from Services in the Control Panel or by other programs. There is no file information. The program is not visible. The service has no detailed description. File d347bus.sys is not a Windows core file. Therefore the technical security rating is 5% dangerous, however also read the users reviews.

    Important: Some malware can camouflage themselves as d347bus.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the d347bus.sys process on your pc whether it is pest.

    If nobody else informs you different,
    you don't have to worry.

    Btw. What is your native language?
     
  8. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
  9. Advicer

    Advicer Guest

  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    It would have been nice if it had offered a way of exporting the list to a txt file (or anything more easily postable then a screenshot)

    Regards,

    Pieter
     
  11. mata7

    mata7 Registered Member

    Joined:
    Nov 8, 2005
    Posts:
    635
    Location:
    Mississauga, Canada
    thanks for all you info, my native lenguage is spanish
     
  12. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    I totally agree, i hope they will create this feature.
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    These are my kind of "hooks"! :D
     

    Attached Files:

  14. controler

    controler Guest

    Hey Pete

    How goes the battle?

    Are you useing Appdefend in that post? From what I have seen, It appears when using Appdefend along with PG, people seem to see the hooks overlapping and Appdefend's hooks usualy show more frequent.

    Bruce
     
  15. What do you mean show more frequent? It depends on the install order I think. At least that was so, when i installed PG first then Appdefend. And compared with installing Appdefend then PG.
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi, Bruce! No, that's not AppDefend, it's just PG/RegDefend.

    "the battle" is on-going and multi-fronted. "Skirmishes" going well going on some fronts but I need a lot more "troops" for the front lines and major engagements. Signed up yet? :D Pete
     
  17. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Hello All,
    Cool Free tool. Good for asking questions and seeking help for things that look suspicious, but to those of us not real savy and tech wizards it is difficult for us to use to get rid of a nasty. :doubt:

    Its user base would be very small IMHO. :(

    Am I missing something? :doubt:
     
  18. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    When I tryed to install it Pest Patrol intercepted it and said it was the buddy 2 spy so I killed the install. Whats up with that?
     
  19. Pestpatrol King of False positive strikes againo_O
     
  20. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    Last edited: Dec 3, 2005
  21. I installed in on a vmware machine, and looked for the files that should have being installed (based on your urls). Nada. FP?
     
  22. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    Maybe its PP's version of "Not a virus risk-ware" or simple mistaken identity. The nature of the application would normally cause it to show up on the radar but it was ignored (as far as it got anyway) by KAV, Reg Def and App Def. The vender's name rings a bell, confirm they are reputable?
     
  23. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    As a licenced user of PestPatrol, i think it is a great product,
    it can find malware that others can't sometimes.

    But i would not recommend it to a novice user,
    because deviladvocate couldn't say it better;

    It is the King of False positives! (as proven in this case)

    But if you haven't got a problem with that (like me)
    it is not a bad prog.
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Having an analyser that could identify multiple hook chains would be useful in such cases. Indeed that should be the next step - after all, if only the first hook in a chain is identified then this means that installing a security application on a rootkitted system (resulting in its hooks being installed over the rootkit's) could end up obscuring the rootkit hooks (though they would still be active).
     
  25. While it is true that PP is often misunderstood because it tries to detect "hackerz tools" and other things like P2p clients, when I say it is King of FP, I do not refer to such cases. I only refer to cases where it states without a doubt it is some wellknown specific spyware/adware or keylogger.

    Even in this case in question, it states that it is "buddy 2 spy" which is obviously wrong. If it said it was some generic.hackertool, then I would be okay with it.

    That has always being the case with pest patrol, its signatures are very 'loose'. Kind of like looking at a green apple, and then from now on it learns that everything that is green is an apple.
     
Thread Status:
Not open for further replies.