Rootkit Unhooker

Re: RkUnhooker RC3 released

He heh. Indeed, i like his approach er' humour. I suppose it might could be some moment of concern to the paranoidal or unwary lOl

I liked the earlier builds of MATRIX HAS YOU in process list. I think i know now where he gets it from, i just found an old screensaver on my 98SE drive with Matrix Has You appearing then vanishing in sequence. Pretty Kool

 

Re: RkUnhooker RC3 released

yes

 

Re: RkUnhooker RC3 released

Hello,
Matrix has you is my default screen saver for my Suse 10.2!!!!
Mrk

 

Re: RkUnhooker RC3 released

I always have my systems set to show hidden files. I was the one that educated PepiK ( Spybot) about hidden files ;-) I was using DOS ATTRIBS to hide files and DIR's years ago LOL Where does time go?
I tell you, for some reason the sys never shows up on my system while scanning. Is there some reason to hide the sys driver? Anyway I will keep looking LOL


controler

 

Re: RkUnhooker RC3 released

Some malware (arm32.dll) always keeps "show hidden files" option enabled

 

Re: RkUnhooker RC3 released

Last night I was not able to find the registry entries while doing a hidden file scan but this morning I was able to see them by going into the report tab, doing a scan and searching the REG. I then was able to find both the 10 & 31 entries.

couldn't find a arm32.dll. I redid this computer a couple weeks ago so there shouldn't be much for maleware on it at this time. I might redo it again soon. It is dual boot, XP Home & Vista.

Anyway I won't bother this thread anylonger with my not being able to find the SYS driver.


controler

 

Re: RkUnhooker RC3 released

Hi controler.

There are two models of RkUnhooker driver loading.
1. If "Extended Mode" option is enabled then driver always stays in system32\drivers folder, because it's configured to be started with Windows.
2. Otherwise, RkUnhooker extracts driver file from executable immediately after application start and puts it into system32\drivers directory with file attribute "hidden". After driver loading, driver was deleted by RkUnhooker because it is not anymore needed - driver stays in memory until next RkUnhooker start. Thats why you can't locate this file inside \drivers directory. The same behaviour you can see with some of SysInternals tools

 

Re: RkUnhooker RC3 released

Thanks for the good explanation

I didn't know extended mode was for autostart. I looked through the help file but did not see extended mode mentioned, other then this

Do you advice only used extended mode in safe mide then?

I also do not see any mention about the show debug panel tab in the help file.

It would also be nice to be able to switch between help file and RKU GIU. ON my machine, if I open the help file, I can not maximize the RKU GIU again untill I close the help file.

Thank you



controler

 

Re: RkUnhooker RC3 released

Thanks for suggestion, we can implement it in next release.

"Extended mode" configures rkhdrv31.sys to be loaded in when Windows go to Safe Mode.

 

RkUnhooker and Internet Explorer 7 Issue

"RkUnhooker and parasite detected message with IE7"

The story http://forum.sysinternals.com/forum_posts.asp?TID=9535&PN=1&TPN=4

Okay, we debugged IE7

http://forum.sysinternals.com/forum_posts.asp?TID=9752

This issue will be fixed in next version of RkUnhooker (no more parasites with IE )

p.s.
Moved here I see. BTW, it is possible to rename thread to from "RkUnhooker RC3 released" to simple "RkUnhooker"?

 

Re: RkUnhooker RC3

Sweet !!!!!!!!!!!

It is too bad the USA prorammers can't get with the program. Will maybe the gov. can but they do not make it public. Cyber warefare ect LOL

controler

 

Re: RkUnhooker RC3

Russians are known to be very good at maths and reverse engineering Just look how many AVs come from Russia and ex-communist countries (Kaspersky, Dr. Web, VBA32, UNA, BitDefender, RAV (now Microsoft), ArcaVir, VirusBuster, NOD 32, AVG, Avast).

 

Re: RkUnhooker RC3

Do not forget SSM was also an eastern Europe program. DefenseWall is also russian. So you are quite right.

 

Re: RkUnhooker RC3

LLOOLL


and BTW was (sorry) fooling around with GMER, went to run pwalker and pwalker froze !!
Uninstalled the gmer and pwalker ran: is that expected ??

 

Re: RkUnhooker RC3

No, probably incompatibility with GMER driver. It is not our bug or decision, pwalker do not contains any kind of gmer ban technology.

 

Re: RkUnhooker RC3

@EP_XOFF

Do you think you could take a look at the log I saved from RkUnhooker? If not, where could I get it looked at? I have no idea how to interpet the log. My system started acting funny four days ago and I spotted two suspicious files in Windows folder with the name is-H3SP4.exe and is-H3SP4.lst. I googled it and came up completely empty.

 

Re: RkUnhooker RC3

Yes I will look. Send it here rkunhooker[dog]xell[dot]ru

Probably Inno Setup installations?

 

Re: RkUnhooker RC3

That's great! They are on their way.

EDIT: Outlook does not recognise your address as a normal address. Is there a .com or a .net after the ru at the end of address?

 

Re: RkUnhooker RC3

Still no reply on this one?

 

Re: RkUnhooker RC3

Sorry.

Unknown issue. Probably related to your video drivers / GDI performance in a whole.

During Hidden Files Scan service executable is beign dropped to RkUnhooker folder with file attribute "hidden". If scan was ended abnormally executable stay inside this folder.

Thanks.

No simple rk......@xell.ru

 

Re: RkUnhooker RC3

RkUnhooker v3.20 has been released,

what's new:

added: Properties for processes and drivers
improved: action menu optimized
UnHook & UnHook ALL merged for SSDT/Code Hooks
Dump Process/Dump Driver merged for Processes/Drivers
Wipe/Copy file features are now available for the following pages:
- Hidden Processes Detector
- Hidden Drivers Detector
- Hidden Files Detector
improved: hidden drivers detection (new detection method)
improved: hidden files detection (new detection method)
fixed: select disks scan bug
fixed: Internet Explorer 7 issue

Download link http://www.rku.xell.ru/?l=e&a=dl

btw, since this is 'official' RkUnhooker thread here I want to ask moderators - please rename it in "Rootkit Unhooker" Thanks anyway.

 

Re: RkUnhooker RC3

EXCELLENT!

Thank You EP_XOFF & MP_ART for this major contribution to the war on finding RootKits and other "hiddens" that most other detectors miss and sometimes never find.

This is one great piece of work and couldn't have come along at a better time when rootkits and rootkit behaviors are at an all-time high in the field.

 

Re: RkUnhooker RC3

Thanks EP for update+tool

Same old,same old.....Currently got an active CWS infection and RKU currently see's the Rustock B and wincom32 that were imported

 

Re: RkUnhooker RC3

Does this version still block GMER?

 

Re: RkUnhooker RC3

Not block. Simply do not run together.