PDA

View Full Version : Rootkit Unhooker



anon
18.09.08, 02:24
Rootkit Unhooker LE (RkU) is an advanced rootkit detection/removal utility, designed specially for advanced users and IT professionals. It runs under 32bit Windows 2000, Windows XP, Windows 2003 Server and Windows Vista. If you don't know how to use it, please do not tell that it is not working or found nothing. In the 95% of such incidents users simple don't know how to use this program.

Features:

Public version
SSDT Hooks Detection and Restoring
Shadow SSDT Hooks Detection and Restoring
Hidden Processes Detection/Terminating/Dumping
Hidden Drivers Detection and Dumping
Hidden Files Detection/Copying/Deleting
Code hooks Detection and Restoring
Report generation

Supported operation systems:
x86 32 bit Windows 2000 SP4
x86 32 bit Windows XP +SP1, SP2
x86 32 bit Windows 2003 +SP1, +SP2
x86 32 bit Windows Vista

Note: RkU requires Administrator rights to launch and work.

DOWNLOAD PAGE (http://www.antirootkit.com/software/RootKit-Unhooker.htm)

It's a very good tool to remove hidden rootkits, trojans, and general software that doesn't want to go or installs drivers - you can choose to remove them and the executable from memory, and wipe their .sys and .exe files. It also lets you unhook Windows API functions "taken" by other processes, but be careful with this, since legitimate programs like antivirus/firewall software and the Windows kernel itself may be doing this for good purposes.
Notes: if you get a BSOD every time when using the "Files" tab's functions, go to Setup -> Settings, tick the "Use Standard DiskIO" checkbox, and press OK.
And never enable "Extended Mode"! It can lead to blue screens, crashes and system unstability!

Aurion
18.09.08, 02:38
even those that come with packers ?? I mean if you just love to play with Trojans/Shells,does it detect them while your server is on ??

SealLion
18.09.08, 05:57
Anon: Is this a similiar proggy to 'unhackme'??

I think that it is. It sounds like it is. I have unhackme installed and it seems to check the computer upon start up and I think that what it does is remove trojans/rootkits upon boot. It runs silently in the background and checks every 15 mins. Its actually quite good I find.

Unhackme is from 'Partizan'.


But I think that your proggy seems to do a little bit more than the one that I've got installed here.

anon
18.09.08, 21:34
@Aurion: I didn't exactly understand what you meant with "even those that come with packers", but I can tell from self-experience that it detects a lot of bad stuff that tries to hide itself (or not), as it can counter possible hooks placed on the Windows API for rootkits and malware to hide themselves (just like APT). It can also see hidden processes and drivers, and depending on how much they've been "buried" inside the system, unload them from memory, or if it isn't possible, wipe it's .sys and attempt to proceed anyway, so that whatever happens, it won't be able to run after a reboot.

This is its menu:
http://img110.imageshack.us/img110/6025/rkmenutm0.gif

@SealLion: just checked UnHackMe (happened to have it in my downloads folder), and it does seem to do a similar job, but also to be more newbie-destined (doesn't prevent it from being very powerful, though), because of it's "wizard" interface.
This tool is a lot more advanced - you can screw up your system if you don't know what you're roing, really - but also a great trouble-shooter, and definitely an "anti-spyware" suite when combined with APT, Autoruns (possibly also HijackThis), and knowledge of how to use all of them! :cool2: