[stifani]

hello,

hi everyone here. i just want to ask if it is possible that rkunhookerle gives the message "possible rootkit activity detected", even if there is no rootkit activity in the system?

i mean.
if rku finds some hooks (not related to malware) that are necessary for some compatibility (example of shimeng.dll), does it show that message anyway ?

for example

Code: Select all

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
[500]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F41218-->5CF97774 [shimeng.dll]
[500]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A51188-->5CF97774 [shimeng.dll]
[500]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77E410B4-->5CF97774 [shimeng.dll]
[500]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CF97774 [shimeng.dll]
[500]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9D15A4-->5CF97774 [shimeng.dll]
[500]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E39133C-->5CF97774 [shimeng.dll]
[500]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77181248-->5CF97774 [shimeng.dll]
[500]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A3109C-->5CF97774 [shimeng.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

do i have to worry about this? :)
tnx

[nullptr]

Any sort of hooks or modifications etc will be flagged. RkU doesn't keep any sort of whitelist, it just reports what it finds.

[Vrtule]

Any sort of hooks or modifications etc will be flagged. RkU doesn't keep any sort of whitelist, it just reports what it finds.

Except its own hooks.

[stifani]

ok. tnx. that's really reassuring :D

but why there is this hook, anyway:

Code: Select all

ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]

i know hooks on shimeng.dll, are related for some compatibility, but what about that hooks? is it somehow also connected to this shimeng.dll compatibility ?

and another question:
is there an easy way (i mean "on eye detect") to discover which hooks are good and which are not?
can you please give me some hints about?

tnx

[kmd]

Any sort of hooks or modifications etc will be flagged. RkU doesn't keep any sort of whitelist, it just reports what it finds.

Except its own hooks.

no it's not true
you need to press and hold left SHIFT button and then press Scan button in rku - then it will show own hook

[rkhunter]

ok. tnx. that's really reassuring :D

but why there is this hook, anyway:

Code: Select all

ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]

i know hooks on shimeng.dll, are related for some compatibility, but what about that hooks? is it somehow also connected to this shimeng.dll compatibility ?

Seems this is false detection. In any case you can take other anti-rootkit and recheck this.

is there an easy way (i mean "on eye detect") to discover which hooks are good and which are not?
can you please give me some hints about?

Generally, target address (80545CF5 [ntkrnlpa.exe] in this case) does not lead in the source module (ntkrnlpa.exe in this case).