Rkunhooker infected?!?

Discussion in 'malware problems & news' started by SystemJunkie, Nov 9, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Probably safemon is the reason for RkUnhookers alert, RkUnhooker is well protected (no dlls, no threads to see) but I could gain access to the stack information and I found this:

    http://i13.tinypic.com/4ghdta0.png

    Beside I allowed the low level access that you can see above. Sorry for the paranoia in this case.

    I was a bit too fast.. I found out that the gmer thread(00270000) is the low level access of RKUnhooker.

    So nothing to worry I guess.
     
    Last edited: Nov 9, 2006
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    The moment I try to launch Rootkit Unhooker, my system restarts! :eek:
    It just crashes my system directly.
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    What kind of security software do you have installed additionally?

    Maybe we can find the incompatibility hook.

    One problem I also saw by using Raide Beta is the thing when you try to unhook everything in your system that in about 70% your system receive a BSOD. But I think it´s quite common phenomenon and usual, due to ring0 structure I guess.
     
  5. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    This reaktion of RkU is absolute normal in the case you have a security software installed, which loads a dll, exe, sys (syssafe.exe from SSM) file which is not accessable from user moder, etc. RkU intrepretes this behaviour a a possible parasite. I talked to the developer of RkU some weeks ago and he will solve those behaviour with 'known' security applications.

    Regarding the reaction of SSM you have to allow RkU low level access to detect hidden processes.
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Great to know! Thanks!
     
  7. EASTER.2010

    EASTER.2010 Guest

    Good point! I rooted myself earlier and was interested also about that prompt, but RKunhooker continued on uninhibited anyway and striked down the hooking code to surface the ghosts i let in. ;)
     
  8. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    /OT
    I deinstalled Rku because of the undiscasable behaviour of it's developer. Such and a....e i can't and won't support.
    If somebody is interested in his behaviour read the last 3 pages of following thread
    /OT off
     
    Last edited: Nov 12, 2006
  9. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes indeed, beside I recently analyzed the most commercial low level thing I actually saw.. PC Activity Mon. 7.5 Pro, with filemon you can see how a typical behaviour of such superstealth stuff looks.

    I will open a new thread here concerning this.
     
    Last edited: Nov 13, 2006
Loading...
Thread Status:
Not open for further replies.