Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit Analyzer Hooks

  • Please log in to reply
2 replies to this topic

#1 eazido


  • Members
  • 2 posts
  • Local time:01:50 PM

Posted 02 April 2008 - 08:48 AM

I suspect there are rootkits on my computer- rootkit analyzer reports lots of lines
but which can be safely deleted and which not?

In the scan report, there are two types of events- those marked ----- and those --?--
How to react to them?

- inline code modified ntoskrtnl.exe : a google search reports this file is essential. Does that mean that even if reported by the revealer it should NOT be deleted? or should I take action to re-install the file, which apparently is neede for the OS, XP home?

----- inline code modified SSDT hook- delete or not?

--?-- EAT hook delete?
--?-- IAT hook delete?

Thanks anyone

Edit: Moved topic to the more appropriate forum. ~ Animal

Attached Files

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,490 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 AM

Posted 02 April 2008 - 11:35 AM

ntoskrnl.exe is a critical Windows process used in the boot-up cycle of your computer.

What issues are you having that you suspect a rootkit on your system? Some ARK tools are intended for advanced users or under the guidance of an expert as they are powerful and can be misused with disasterous results. RootKit Hook Analyzer is geared more for advanced users. The program will let you what kernel hooks are active on your system. If no hooks are active on your system it means that all system services are handled by ntoskrnl.exe.

If you're unsure how to use RootKit HA or read its logs, use AVG Anti-Rootkit, Sophos Anti-rootkit or Panda AntiRootkit instead.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 eazido

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:50 PM

Posted 02 April 2008 - 02:31 PM

Thanks quietman7.
For the last month, I kept getting STOP: messages on a blue screen with varying addresses and notes.

In the end, the computer seized up completely.
I tried a quick re-install of Windows XP Home, but finally had to perform a format of my C: drive. I have all my data on a D: partition so apart from time, there is no trouble. I had to set the Bios to accept the CD- I had tried use floppies, but they failed to help the re-install.

Since the re-install, I got three new STOP: messages. I performed a RAM diagnostic, and finally found a failed INVC and LRAND message on the first pass, though all passed on a second pass.

I removed one of the RAM modules I have ( I have 2x256Mb ones), actually the newest one I put in some 6 months ago. Since then- two days- the computer has been working OK, though somewhat slower.
I am therefore ignoring the results of the rootkit revealer program- for the time being.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users