Rootkit Unhooker

Hi Meriadoc,

You can use email, or our forum, it is on your choice. We will answer on questions.

Kind Regards.

 

The point I was trying to make- I (and probably the security community in general) do not want to know that you are conducting a "war". It is IMHO, unprofessional for Rootkit Unhooker to use their website as part of a 'war' against other security vendors.

Londonbeat

 

After all this harsh talk, though I agree that RkUnhoker people seems to show unprofessionalism, I can very well guess that all this matter can never be solved here on these boards as the matter seems to have deep roots.

So I will just request all users to ignore this issue( leave it between RKU people and Gmer) and to focuss on the topic of the thread.

I wish they could solve their problems.

 

Okay, okay, we are unprofessionals, mister Gmer are hero on the white horse, yes-yes. Well, actually I understand this position from the very first post, so it was no needed to repeat me this in the infinity loop. Banner was, is and will on your site, you can do whatever you wish, we absolutely don't care about "security community" in a whole, as well about opinions from it, because I definitely know that there are a lot of peoples in my country and not only in my, who use and will use this program no matter was it "approved" or "disapproved" by "security community" in the case of lack of professionalism / non-ethical behaviour of authors. Therefore I see no reasons to continue this infinite loop of accusation in lack of professionalism. You have already got all my available answers, so I can't add nothing new.

Kind Regards.

 

I think the unfair critics should refrain from always looking for negatives and blowing off all the time over banners, sayings or what have you.

You shouldn't care less if they launched a hot air balloon around the world advertising whatever harsh assessments they have over one thing or another.

THE FACTS! remain, and that fact is that RKUnhooker developers have fashioned perhaps the single-most BEST ark detector to have ever been produced to date, and they watch over it with great care.

They also address users issues no matter what.

Needless to say IMHO they have indeed made history and AFAIK they can gripe about anything they like so long as they continue to advance this wonderfully creative and effective invention. It's stable, it works, and is a very helpful learning tool in the hands of those who know how to interpret it's findings wisely.

 

Hi,folks: An excellent product can not be permanently maintained by its technology alone, it has to be sprinkled with an open mind and a humble attitude. Yes, you can look down everything, everyone today when you are at summit. But how about the next day? Will you be there, unmoved? Your next step could be that 10,000 feet deep cliff. It is easy for you to say anything when you have the world, have you thought when you lose that glory, what will come to get you? Be humble, be humble, my friend. I do use your product, but do not appreciate your att---. Guide youself accordingly.

 

https://www.wilderssecurity.com/showpost.php?p=953234&postcount=229

 

I am speechless as well.

 

Sorry I semed a bit one-sided in my post. I don,t favour gmer or u as I don,t know the real issue in between you. I can,t decide who is true. So neither HE or YOU are my hero in this dispute as it,s ur personal issue.

 

Wise words. Let's follow them

 

Actually RkUnhooker is my favorite, because of multiple ssdtrestore function, I love that: A feature I waited several years for. Gmer does not have this feature, only click by click, that´s not good.

Best thing in the world, one click all tools are unhooked and/or ssdtrestored.

I really like that!

I did not try it in case of symantecs monster kernel hook, maybe someone will test it, if RkUnhooker is stronger then this, I guess there is at least one process in Norton that is unkillable.

 

Hello I use Avira AntiVir for anti virus.

After using Rootkit unhooker for a month or so with no problems, Avira AntiVir said

the EE62A2E5EE62A2.exe which is located in the RKUnhooker directory is the trojan horse TR/AGENT.6656

Has anyone else gotten this message from Avira AntiVir? Any thoughts?

 

Hi security34,

You could submit the file to virus[at]avira.com with the title "possible false positive" and see what they say, have you tried uploading on virustotal to see if antivir is the only scanner that detects it?

Londonbeat

 

Pls send it to them so that they can correct the false positive.

https://www.wilderssecurity.com/showpost.php?p=974513&postcount=8

 

Londonbeat

Thank you. Per your suggestion I just sent this to virustotal and found the positives here:

Complete scanning result of "EE62A2E5EE62A2.exe", processed in VirusTotal at
03/31/2007 17:14:23 (CET).

[ file data ]
* name: EE62A2E5EE62A2.exe
* size: 71168
* md5.: d42da80479913c5021b1b3baa8c249c1
* sha1: 6a331211db81590a37493e9021b011322f9063a5

AntiVir 7.3.1.46/20070331 found [TR/Agent.6656]
CAT-QuickHeal 9.00/20070331 found [(Suspicious) - DNAScan]
eSafe 7.0.15.0/20070329 found [Suspicious Trojan/Worm]
Sunbelt 2.2.907.0/20070331 found [VIPRE.Suspicious]
Webwasher-Gateway 6.0.1/20070331 found [Trojan.Agent.6656]

Complete scanning result of "CCDCFCCC4112A401.exe", processed in VirusTotal at
03/31/2007 17:14:23 (CET).

[ file data ]
* name: CCDCFCCC4112A401.exe
* size: 6656
* md5.: b1221c986f5979cc2ce7ec4cfae9cc90
* sha1: 47df859e4cc5cadcae7de68427de010a5d32ea6b

[ scan result ]

AntiVir 7.3.1.46/20070331 found [TR/Agent.6656]
Complete scanning result of "CCDCFCCC4112A401.exe", processed in VirusTotal at
03/31/2007 17:14:23 (CET).

[ file data ]
* name: CCDCFCCC4112A401.exe
* size: 6656
* md5.: b1221c986f5979cc2ce7ec4cfae9cc90
* sha1: 47df859e4cc5cadcae7de68427de010a5d32ea6b

[ scan result ]

AntiVir 7.3.1.46/20070331 found [TR/Agent.6656]
Webwasher-Gateway 6.0.1/20070331 found [Trojan.Agent.6656]

on

 

Hello, new version of RkUnhooker has been released. Any bug reports / logs please send here rkunhooker dog inbox.ru

Since I'm not a direct developer of this version I can't answer on techinical questions / bug reports, please use email above.

version 3.31 build 150/420 (07.04.2007)

fixed: bug with Notify Routines and Code Hooks Detector, thanks to FlowerCode
fixed: drivers identification bug
updated: ILHA to bypass some user mode rootkits with patch-protection technology
added: bypassing of locking of the system files by some rootkits
added: UNC full support for Files Scan / Operations (should eliminate some old bugs)

D/L
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.31.150.420.rar
http://rku.nm.ru/rkunhooker_v3/RkU3.31.150.420.rar

MD5 1fc261be43d1119b4f627b18578759b3 *RkU3.31.150.420.exe

 

Thanks EP_XOFF

Not to be too presumptive:
Came to have some real trust in you and your team MP_ART and DNY et al
Can you give a bit more information about where the RkU is heading and why you are not there?

What happened with the forum?
Will there be another web forum?

Regards.

 

Some limits, some reasons My main profession is not a programmer, I prefer to lead different software projects.

In the case of RkU we already builded good foundation for future development. Current development team consists of four highly skilled programmers (some of them in different time was worked in russian antivirus companies like DialogScience) and now retired by several reasons. Please understand that this project is hobby-like, we do not pretend on money / glory / high bandwidth etc.

Forum was suspended with all xell.ru due to "internal reasons" by hoster claim. AFAIK it was sync ddos attack (27-29 march 2007) from several zombie servers here in Russia. We can create many mirrors like rkunhooker1.narod.ru, but forum needs some real hosting, isn't it? =) Currently forum it is not planned. There are already exists several forums where peoples can find help about RkU, for example here, on http://antirootkit.com/forums.

As for me and mp_art we are now discovering "new" vista kernel, rootkit-friendly as always And yes, probably soon Vista x86-32 will be supported by RkUnhooker.

DNY has left country and returned to home, now she is in Germany, somewhere in Wittenberg. Hacking OS's I guess

That's all

 

@EP_XOFF

Good luck

Not bad for a hobby! International recognition in a very short time

Stupid. Looks like the war is already lost on some fronts; 20 years of MS exploits and now zombies rule the web.

NO, really ??, LOL good hunting.

Good luck to her too.

Looking forward to new implementations.

I hope not

thanks to you all for a terrific ride so far
Sad to see you pulling back a bit
You must have given thousands of hours already.
Great tool
Great commentaries from you all.
Lethal assessments of other mainstream tools

Stay well
Hope to see you again with the next generation blockbuster.
Stay on the white side.

Regards.

 

Could it be possible that the code hooks detector lost a bit of scanning speed, since v.3.31? (it´s irritating, did some of the programmer made some sleeps between scanning processes? I don´t like that.. please redo it like in v.3.30)

Seamless Scan (like probably you did it) is better then Sleep Scan.

 

The ORIGINAL developers can correct me if i'm in error but, since RKU transferred hands i also noticed a marked DECREASE in scanning speed which leads me to believe when they transferred ownership, the original designers might very well have kept some code and retained it for themselves thru agreement.

Thats just my take on it because when EP_X0FF/MP_ART were actively involved in that project, i always noticed the blazing-rapid speed of the CODE HOOKS DETECTOR as in instantaneous! Now it appears to almost do a normal type common malware scan type speed. The items show well enough, but takes more time to do it.

Right? Wrong?

 

Really basic question, with no harm meant:

With Anti-rootkit developers being at the top of the game (as good as if not better than the rootkit developers) what prevents them from:

1. Releasing an antirootkit trojan.

2. Making it with excellent rootkit detection for a while.

3. Lulling people into false sense of security.

4. With new update pretending to do rootkit detection, but in fact installing its own rootkit

(It is impossible to detect this by using normal antivirus scanners)

What do we then use to detect that the antirootkit tools are not putting their own rootkits?

The question is: Who watches the watchmen?

A multi-layered security, where no layer trusts the other layer and there are several same layer peers which watch each others behavior?

Now I'm starting to understand the need for those 8-core chips

I'm sorry this is slightly off-topic. However I just did a scan of latest RKu with several antimalware tools and some of them flagged it as suspicious. Of course, it reads a lot of hooks, so this is to be expected (?). But in general, the same is for rootkits themselves. Most of them are also flagged "suspicious" and nothing more.

How can one know which off-the-net security tools really are safe to run

 

Hello,
halcyon, Linux CDs are watching the watchmen. If you have any doubts, pop a live CD into the tray and go wild.
Mrk

 

@Mrkvonic: Actually we prefer windows, ok?! It´s like a bad habit ;-)

Absolutely my opinion! It looks like a boring Antivirus Coder with usual methods.

Wow, this super-paranoia is really a nice thought. Once Services.exe wanted to connect to the internet, one reboot later nothing more, anything quiet.
(this happened once as I removed the floppy drive out of my computer and installed a usb hub instead)

 

They are detecting the packers used for the code.It is generic flagging but back a while there were some F/p's being returned when uploading the installer or main executable to VT service.

FWIW I'm in know doubt the RKU tool has been cracked and reversed by most of the competition.If it has malicious code in it then the alarm bells will be almost cetainly being rung

You can't except visiting reputable sources for info,the amount of fraudware, plain ****,fake security sites and malware incorperated security softwares out there are fast approaching the number of legitimate softwares.
Anyone for Spysherrif,SpywareQuake,VirusBurst....The list is huge and growing