Subject: Radix Anti-Rootkit
Posted: 20 August 2013 at 12:38am
  Posted: 19 April 2010 at 10:42pm Hi, New version is out:
|
False Positive? Or new Rootkit? PID 1.
All other known ark-tools show no such Pid.
(16) PID: 1 [8981F788] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [87FC46B0] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [8982F570] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [88073468] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [87FD6728] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [895A5C78] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [8981D688] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [8950ED40] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [89CEC040] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [89578040] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [8965F520] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [89E60650] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) PID: 1 [8825BD40] ()--[HIDDEN by EPROCESS unlinking. Use /FH to fix]--
Threads belonging to this process:
(16) TID: 0 [88269D48] 
The start address of thread 0 [ETHREAD: 88269D48 (16)] of process (PID 1) doesn't point inside a process module.
It points at address 00000000. This is suspicious. You can try to kill or suspend this thread.
Cannot read memory @00000000: 8000000D
Stopping Pid1 results in Stop x8E.
Unix Crosslink?
Edited by SystemPro - 3 hours 16 minutes ago at 12:44am