Page 7 of 16
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 6:26 am
by EP_X0FF
@Krestig,
What is your system configuration?
Please attach minidump here if it is available.
@gjf
Okay.
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 11:45 am
by Krestig
Configuration: WinXP SP3 Rus, patched up to date, ntkrnlpa version 5.1.2600.5938.
RkU Version: 3.8 (b140410.388.590), Type LE (SR2).
I could also upload kernel memory dump, but it's huge!
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 12:46 pm
by EP_X0FF
Hi,
I've send you PM with another build. Can you try it?
I can't reproduce this BSOD anywhere :?
Regards.
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 1:01 pm
by Krestig
EP_X0FF, could you upload to another fileshare, cause I can't download from there, I see just name of file and nothing else(no button download etc).
By the way, I cant figure out 100% seqeunce of actions to reproduce this bug :(, seems to be nasty bug.
Also, maybe it's some kind of self-protection of some rootkit, cause I'm amfaid, that I have some beast on my system:
ntkrnlpa.exe+0x0002D524, Type: Inline - RelativeCall 0x80504524-->EAEE8F00 [unknown_code_page]
ntkrnlpa.exe+0x0002D570, Type: Inline - RelativeJump 0x80504570-->80504587 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
ntkrnlpa.exe-->KeSetProfileIrql, Type: Inline - RelativeJump 0x806A1F1D-->8063D7CB [ntkrnlpa.exe]
ntkrnlpa.exe-->KeSetProfileIrql, Type: Inline - RelativeJump 0x806A1F24-->8069E378 [ntkrnlpa.exe]
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 1:26 pm
by EP_X0FF
I believe these are false positives, because of non meaningful addresses.
OnlineDisk and rapidshare links sent.
If you think that your PC maybe infected then try set of rootkit scanners additionally.
p.s.
what kind of security/backup/system software do you have installed on this PC?
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 1:45 pm
by Krestig
EP_X0FF, with new build that you have sent, everything works fine, i cant reproduce bug.
Soft installed:
security: Comodo HIPS
system: vmware workstation, Nero,Virtual CloneDrive.
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 1:52 pm
by EP_X0FF
Excellent. All this can be caused by Comodo or Virtual Clone drive.
So I recommend you uninstall everything from this list before trying any others antirootkits to reduce count of false positives and probably bugs ;)
edit, updated 14.04.2010 build (the same I send to Krestig)
locals located here
http://www.kernelmode.info/forum/viewto ... p=699#p699
14.04.2010 changes:
added: ZeroAccess detection as part of stealth code page
fixed: BSOD caused by invalid dereference with some rootkits
fixed: some bug with initialization (can lead to invalid results with some rootkits)
changed: logic of stealth code page, it is not anymore starting automatic scanning
changed: some stealth code display messages
updated: locals
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 2:59 pm
by ConanTheLibrarian
Your reports page is not reflecting the full Stealth Code analysis (aka ZeroAccess driver). It says nothing found
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Wed Apr 14, 2010 3:12 pm
by EP_X0FF
ops :D
It because stealth code is not anymore doing scan automatic.
Latest fix from today, I promise :D
MD5 for exe
04626f4f4dbfa366ffca34034b026e35
SHA1 for exe
dedce79192e95e1197ee0530aff9bbf323a11db4
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Sat Apr 17, 2010 5:19 pm
by EP_X0FF
Update.
Contains compatibility fix.
There still several things needs to be done.
Release in plans for May 2010. It will be posted at rootkit.com and here.
After this SR3 work will be started and new beta test thread will be created (as far as it will be something to test).
MD5
022e8ba9a8fd641b2609ff6e87a6e324
SHA1
710b83e07324f1b80b0c3639da275d0efcc2fb92