You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar ...-SKA
Thanks a lot for pointing to RkUnhook (http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar) (RkU), SKA :up:
This Russian program (exe name: 7lSQusUji) is by far the most advanced in this group! The first scanning result is literally ready in a second (!), but the final Report took more than a hour to produce. I would like to show a screenshot of the scrolled report window, but the RkU window is not a standard GUI object that my FastStone Capture can recognize, so I will insert a fraction of the 546 KB Report text file (I have deleted 99%). Here is first a screenshot:
[ You are not allowed to view attachments ]
Fraction of 546KB Report
RkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.30.150.400
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF4D490B0
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtClose
Actual Address 0xF4C814FC
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateFile
Actual Address 0xF4D36460
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtCreateKey
Actual Address 0xF4C80E56
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateProcess
(part deleted)
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x845C9660
Process: C:\PROGRA~1\Webshots\Webshots.scr
Process Id: 200
EPROCESS Address: 0x83D34B70
Process: C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
Process Id: 248
EPROCESS Address: 0x82BDA6D8
Process: C:\Programmer\Agnitum\Outpost Firewall\outpost.exe
Process Id: 340
EPROCESS Address: 0x82BB68C8
Process: C:\Programmer\WiredPlane\WireKeys\WireKeys.exe
Process Id: 460
EPROCESS Address: 0x83F34688
Process: C:\Programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
Process Id: 480
EPROCESS Address: 0x83D55440
Process: C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process Id: 500
EPROCESS Address: 0x83433020
Process: C:\Programmer\StudioLine\NMSAccess.exe
Process Id: 504
EPROCESS Address: 0x83D2DA48
Process: C:\Programmer\Oront Burning Kit 2\nmsaccess.exe
Process Id: 524
EPROCESS Address: 0x83DCB930
Process: C:\WINDOWS\system32\smss.exe
Process Id: 584
EPROCESS Address: 0x8419F4E8
Process: C:\Programmer\ESET\nod32krn.exe
Process Id: 612
EPROCESS Address: 0x82BB8460
Process: C:\Programmer\Backup4all\IoctlSvc.exe
Process Id: 640
EPROCESS Address: 0x82BB18B0
(part deleted)
==============================================
>Drivers
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF5FFF000
Size: 3645440 bytes
Driver: C:\WINDOWS\System32\vtdisp.dll
Address: 0xBF012000
Size: 3493888 bytes
Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2060160 bytes
(part deleted)
==============================================
>Files
Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System
Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS005A8.log Status: Hidden
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci Status: Hidden
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir Status: Hidden
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Status: Hidden
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci Status: Hidden
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir Status: Hidden
Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Status: Hidden
Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\3CTNUGG3\indexCAAQZJGR.htm Status: Hidden
Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\LI5FD9A2\indexCA7AFT75.htm Status: Hidden
Suspect File: C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf Status: Hidden
==============================================
>Hooks
IDT-->Int 0x000000B1, Type: IDT modification hook handler located in [?_unknown_code_page_?]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF7891B4C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF7891B1C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF7891B3C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF7891B28 hook handler located in [FILTNT.SYS]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x7C802367 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [wl_hook.dll]
(part deleted)
Find the program at this all Russian forum:
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar
[Edit: or at http://rkunhooker1.narod.ru/index.html in English]
- the program is in English. I think RkU by far is the best of these four apps I have named, but the full report may be useless as it will list every DLL and EXE file on your computer, because they are handling hooks...
---
SKA; what do you hold against version 3.7 ??