CastleCops® Do i have a rootkit or not? (RKUnhooker)

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[DONE]Do i have a rootkit or not? (RKUnhooker)

All -> FavForums -> Rootkit Revelations

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

rolarocka

Cadet
Cadet

Joined: Aug 15, 2007
Posts: 2
Location: Germany

Posted: Wed Aug 15, 2007 6:22 pm Post subject: Do i have a rootkit or not? (RKUnhooker)

Hello Forum, can someone tell me if i have a rootkit? Im a little unsure because of the files at the bottom. Thx in advance. >SSDT State NtCreateKey Actual Address 0xB970D03A Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtCreateSymbolicLinkObject Actual Address 0xB971383A Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtCreateThread Actual Address 0xB970DF6E Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtDeleteKey Actual Address 0xB970D7D0 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtDeleteValueKey Actual Address 0xB970D526 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtDeviceIoControlFile Actual Address 0xB971394C Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtEnumerateKey Actual Address 0xB970D900 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtEnumerateValueKey Actual Address 0xB970DA3E Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtOpenKey Actual Address 0xF77250B0 Hooked by: sptd.sys NtOpenSection Actual Address 0xB97136EA Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtProtectVirtualMemory Actual Address 0xB9713588 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtQueryKey Actual Address 0xB970DE34 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtQueryValueKey Actual Address 0xB970DB7E Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtSetContextThread Actual Address 0xB970E198 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtSetSystemInformation Actual Address 0xB9713B2A Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtSetValueKey Actual Address 0xB970D256 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtSuspendProcess Actual Address 0xB9713634 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtSuspendThread Actual Address 0xB970E230 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtTerminateProcess Actual Address 0xB9713436 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtTerminateThread Actual Address 0xB970E10A Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys NtWriteVirtualMemory Actual Address 0xB97134DC Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys >Shadow NtUserSetWindowsHookEx Actual Address 0xB9713C58 Hooked by: C:\Programme\GhostSecuritySuite\ghostsec.sys >Processes >Drivers >Stealth >Files >Hooks Device object-->ParseProcedure, Type: Kernel Object hook handler located in [unknown_code_page] File object-->ParseProcedure, Type: Kernel Object hook handler located in [unknown_code_page] Key object-->ParseProcedure, Type: Kernel Object hook handler located in [unknown_code_page] Process object-->OpenProcedure, Type: Kernel Object hook handler located in [unknown_code_page] Section object-->OpenProcedure, Type: Kernel Object hook handler located in [unknown_code_page] Thread object-->OpenProcedure, Type: Kernel Object hook handler located in [unknown_code_page] !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6301
Location: USA

Posted: Wed Aug 15, 2007 11:16 pm Post subject:

Do you have daemon tools and GhostSecurity ?

rolarocka

Cadet
Cadet

Joined: Aug 15, 2007
Posts: 2
Location: Germany

Posted: Wed Aug 15, 2007 11:35 pm Post subject:

nosirrah wrote:

Do you have daemon tools and GhostSecurity ?

Yes i have both.

I've created a bootcd with kaspersky and run a scan with it. Thankfully the scan result was clean.
Only the rootkit unhooker results are disturbing for me as a newbie in this rootkit things.

negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5394

Posted: Sat Aug 25, 2007 12:59 am Post subject:

Since this issue appears to be resolved to rolarocka's satisfaction, I am marking this topic as done. _________________ Negster22 - MS MVP - Consumer Security 2006-2008

	All -> FavForums -> Rootkit Revelations	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 185ppm 0.335s (0.054s) Making cybercriminals unhappy since 2002*