PCHunter (XueTr) anti-rootkit new version

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
.
PCHunter (XueTr) anti-rootkit & antivirus on-demand 32 / 64 bit free new version - topic ..

------------------------------------------------------------------
NEW VERSION now is PCHunter Free version V1.0.0.4 - V1.35 : October 22, 2014 Build.
- I downloaded from linxer's website, download link on his site is called:

The standard version October 22, 2014 release V1.35 version.
Standard version Download: local download (md5: 1D171FB3576A08DF32DD8CBF90004BA1)
Where PCHunter32.exe is 32 version, PCHunter64.exe are 64 versions.

Kernel Module tab slowdown, starts for a very long time (of some seconds) .. so I stick with v1.2.

I unnnotched: Auto Check Updates.

Readme - Changelog:
*Fixed a bug in x86 Win8.1 system.

- Transfer rate (download) is much better by the linxer's website, than by epoolsoft website .. then ..

You have in the folder these two executables: PCHunter32.exe for 32-bit version, and PCHunter64.exe for the 64-bit version.

In v1.31 version, on 'Ring0 Hooks' tab, you have the new tab called: I8042prt
Computer Examination tab changed its name to: Examination.
Load of the 'Kernel Module' tab is still slow, compared to version 1.2. Other tabs loads quickly.

Changelog from readme:

2013-10-06 V1.3:
*Support Win8.1

2013-03-22 V1.2:
*Added ClassInitData enumeration feature
*Fixed several bugs.

2013-02-28 V1.1:
*Added Sfilter enumeration feature
*Added FltMgr Filter enumeration feature
*Fixed several bugs.

In the 'Other' tab, I see the New 'User Name' tab very interesting .. all user name accounts in the computer! With the posssibility to delete an account (with right click), perfect, thanks to the developper!

In the 'Setting' tab, the 'Manual Antivirus' section has changed it's name to 'Temporary configuration', so we always have the manual antivirus cases to notch and stay safe on this Wild Wild Web!
And Self protection cases are already enabled, like in the precedent version, perfect.

.. and the GUI is much bigger than in the XueTr version.

We look forward for the next Free versions ..

------------------------------------------------------------------
New link to PCHunter download - parallel to linxer's home website, called epoolsoft.com, by Discuz!, in Google English translation, topic here: http://translate.google.bs/translate?hl=en&ie=UTF8&u=http://bbs.epoolsoft.com/forum.php?mod=viewthread&tid=36&extra=page%3D1

Download link in the epoolsoft.com first topic's post: click on Local Download button, and you have epoolsoft.com PCHunter_free.zip - 6.52 MB only!

------------------
New links to PCHunter download - for the newest version (v1.0.0.3 2013-12-10 Build) too on MajorGeeks.com website: http://www.majorgeeks.com/files/details/pc_hunter.html


2013-01-22 V1.0 : Download link from XueTr (renamed PCHunter now) author linxer Home website : The PC Hunter V1.0 released, support Win8 and 64-bit systems (re-development on the basis of the original XueTr from) (Google English translation) : http://translate.googleusercontent....le.com&sl=zh-CN&tl=en&u=http://www.xuetr.com/
- I downloaded this first PCHunter 1.0 version from the Download Address 2: Local Download (md5: EEC83714D20705ED6C04D279AC7111A2) - NO problems, very nice & easy, look like XueTr on bigger.
GUI window is bigger than XueTr GUI. Better visibility, the tabs / fonts are larger. Blue icon, same as it ever was XueTr icon.
Self protection (of SSDT and Shadow SSDT) is enabled already.
In Kernel tab: Hal Callback (hey, it's NOT Hal 9000 callback ..) and System Debug buttons are added.
In Network tab, Ndis Handler button is added.
In Startup tab, you have Startup, Services, and Schedule Task buttons.
Random GUI name, longer (so more secure) than in XueTr.
In PCHunter _free folder - I see the executables for Windows 32 bit and 64 bit versions: PCHunter32.exe - and PCHunter64.exe .
Because of my Windows 32 bit, I deleted the other version of executable, and Chinese file too ..



From readme ( released 2013-01-22 V1.0 ):

PCHunter anti-rootkit is a free and handy toolkit for Windows with various powerful features for kernel structure viewing and manipulation. It offers you the ability with the highest privileges to detect, analyze and restore various kernel modifications and gives you a wide scope of the kernel.
With its assistance, you can easily spot and neutralize malwares hidden from normal detectors.

PCHunter currently supports the following Windows versions:

Windows 2000 SP4 (32-bit only)
Windows XP (32-bit only)
Windows Server 2003 (32-bit only)
Windows Vista (32-bit only)
Windows Server 2008 (32-bit only)
Windows 7 ( 32 / 64 )
Windows 8 (32 / 64 )

Currently, the following features are available:

* Process Manager
View system process and thread basic information.
Detect hidden processes, threads, process modules.
Terminate, suspend and resume processes and threads.

View and manipulate process handles, windows and memory regions.

* Kernel Module Viewer
Display kernel module information including ImageBase, Size, Driver Object, ImagePath, ServiceName and Load Order.
Detect hidden kernel modules.
Unload kernel module (dangerous).
Dump kernel image memory.
Display and delete system driver service information.

* Hook Detector
View and restore SSDT, Shadow SSDT, Sysenter and int2e hooks.
View and restore FSD and keyboard dispatch hooks.
View and restore kernel code hooks including kernel inline hooks, patches, IAT and EAT hooks.
View and restore usermode process hooks incluing inline hooks, patches, IAT and EAT hooks.
View and restore message hooks (both global and local).
View and restore kernel ObjectType hooks.
Display Interrupt Descriptor Table (IDT).

* System Callback Viewer
Display and remove Kernel Notifications ( Process / Thread / Image / Registry / Lego / Shutdown / Bugcheck / FileSystem / Logon ).

* Network Viewer
Display current network connections, including the local and remote addresses and state of TCP connections.
View and delete IE plugins and context menu.
View and restore tcpip dispatch hooks.
Display winsock providers (SPI).
View and edit hosts file.

* Filter Viewer
View and remove filters for common devices including disk, volume, keyboard and network devices.

* Registry Viewer
View and edit system registry.
Detect hidden registry entries using live registry hive analysis.

* File Explorer
Detect hidden files using both disk analysis and driver methods.
View and delete locked files and folders.
View file basic information including NTFS Alternate Data Streams.

* Autorun Manager
Display and delete common autorun entries.

* Service Manager
Display Win32 service information (for Ring0 modules, it is included in Kernel Module Viewer).
Change service status and configuration.

* DPC Timer
Enumerate and delete DPC Timer objects.

* Miscellaneous
View and repair common filetype associations.
View and repair image hijacks.
Scan MBR (for MBR rootkit), Backup MBR, Reset MBR, Backup Boot Sector, Reset Boot Sector buttons.

* Settings
Option to defense from process creation, thread creation, module load and message hook installation.
Option to defense from file creation, registry key creation.
Option to prevent system suspend, log-off, shutdown and reboot.
Option to prevent locking workstation and switching destop.
option to prevent setting system time.

Color codes:

1.suspicious object, hidden services, processes, hook function ----> Red
2.file Microsoft ----> Black
3.file manufacturers of non-Microsoft ----> Blue
4.no signature validation ---> Pink
5.Processes tab, when search for 'Find Unsigned Module', the unsigned module non-Microsoft ----> Khaki


Warning: Use it at your own risk. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
Disclaimer: This is just a free supporting software, if you use the software, giving you direct or indirect losses, damages, the Company shall not be responsible for. From the moment you use the software, you will be deemed to have accepted this disclaimer.


Check the latest version number on bbs.epoolsoft.com (in Chinese) : http://bbs.epoolsoft.com/forum.php?mod=viewthread&tid=36&extra=page=1

Indispensable I think, free on-demand software ..
 
Last edited:

Fiery

Level 1
Jan 11, 2011
2,007
Moose said:
Could tell me what rootkits does PCHunter (XueTr) Covers?

Judging from what I'm reading so far, I would guess that the tool detects rootkits by their functions and hooks, rather then by signatures or specific infection. Though it would probably still give you an infection name if it is a known infection, similar to GMER.

For the unknown infections, it would probably still detect the hooks and alert the user.
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
.
Color codes:

1.suspicious object, hidden services, processes, hook function ----> Red
2.file Microsoft ----> Black
3.file manufacturers of non-Microsoft ----> Blue
4.no signature validation ---> Pink
5.Processes tab, when search for 'Find Unsigned Module', the unsigned module non-Microsoft ----> Khaki



- content of this post added in the first topic's Post.
 
P

Plexx

Believe it or not I still have XueTr on my toolbox tho I hardly had the need to use. Wasn't aware of a new re-developed version. Thanks for the share!
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
On BKAV Vietnamese forum : forum.bkav.com.vn : you have 24 pages of the topic about XueTr, with the latest announcemet on PCHunter, in the first post .. so look on this link for your read, in Google English translation from Vietnamese: http://translate.google.bs/translate?hl=en&sl=vi&u=http://forum.bkav.com.vn/showthread.php%3F13191-Cong-cu-ho-tro-diet-Virus-bang-tay-sieu-manh-XueTr-Anti-Virus-Rootkit

In the latest post, this note : 'The latest update 01/02/2013: XueTr officially renamed PCHunter, to support Windows 8 and 64 bit platforms'
 

Gnosis

Level 5
Apr 26, 2011
2,779
Just to show you how handy this tool is; I recently downloaded the new version and was checking out the various tabs, and I saw Hotspot Shield services running. XueTr (PCHunter) put the line items right in my face, so I could not help but read into it.

My PC has been really sluggish as of late, and even my offline PC activity seems sluggish when the internet is sluggish, though I am not actually utilizing the internet while my connection exists.

XueTr had HSS highlighted and I got to thinking. I disabled the services and my PC is really responsive now. I had ignored it for a time because KillSwitch reported no CPU drains. Apparently HSS services have been disrupting my internet speeds and general PC functions. Historically this PC acts funny, across the board, if my wireless is messed with at all by a conflict. It does not affect the wireless connection related stuff, but affects ALL actions with sluggish symptoms and occasional hangs.
This PC and OS is so old I had just assumed hardware was getting glitchy. LOL

It is important to know that I was not anonymous at any time via HSS, as I have not been surfing anonymous via HSS. Nonetheless, the HSS services that have been running are the culprit, though no CPU drain was shown by KillSwitch.

I will tell ya something else; I just now remembered that I tried unsuccessfully to force the HSS line items to FORCE TERMINATE via KillSwitch, and they would reappear every time. I did not really pay much attention because HSS is a trusted program, and at that time I had no idea I was experiencing a "grayware" scenario due to a couple of HSS services running. XueTr (PCHunter) killed it for me on the first try, and now KillSwitch confirms the HSS services are shut down.


PCHunter just got uploaded to HitMan's scan cloud. hahahalol :)

Who said China has no quality?! (me from time to time) LOL XueTr rocks!!!!!!
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Dear ZOU (Gnosis) why I like you so much .. you know - especially because you're open and honest.

Congrats to easily remove the AnchorFree HotSpot Shield HSS Adapter files, services, registry keys surely too .. with this stunning PCHunter (writing come together!) essential tool.
Little link to you personally, about Hotspot Shield HSS residue after deinstallation : on help2go.com : http://www.help2go.com/forum/computer-help/103801-hotspot-shield-residue-after-deinstallation-2.html

Another link about PCHunter - from the Russian site called SafeZone : Antirootkits: PCHunter (ex-XueTr) (in Google English translation): http://translate.google.com/translate?hl=en&sl=ru&u=http://safezone.cc/forum/showthread.php%3Ft%3D14770

PcHunter works as from another HDD (from another dimension, I joke), which explains why it's so effective.

It is the MOST effective anti-rootkit (don't forget PowerTool and GMER too) ..
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
NEW link to PCHunter download - on replacement of linxer's home website, called Discuz!, in Google English translation here: http://translate.google.bs/translate?hl=en&ie=UTF8&u=http://bbs.epoolsoft.com/forum.php%3Fmod%3Dviewthread%26tid%3D36%26extra%3Dpage%253D1 - this link works ..
Download link in the Discuz! first topic's post: click on Local Download button, and you have epoolsoft.com PCHunter_free.zip - 5.28 MB only!



- content of this post added in the first topic's Post.
 

Moose

Level 22
Jun 14, 2011
2,271
Could you provide link,please! I am interested PCHunter and will this work on Windows 8 X64 O.S.?
I keep getting a error on the download page?



La page que vous voulez faire traduire est trop volumineuse.

http://cdn.baidupcs.com/file/eec83714d20705ed6c04d279ac7111a2?xcode=e04a2a99df56c657dd126b5a8235edd2&fid=271085450-250528-4066974275&time=1361628917&sign=FDTA-DCb740ccc5511e5e8fedcff06b081203-mbGv9h3u9oxYcJLONd53pGBA%2F8w%3D&fromcdn=1&expires=8h&response-cache-control=private

Sélectionnez une option :

Réafficher la page précédente
Retour à la traduction
Afficher la page originale
 

Moose

Level 22
Jun 14, 2011
2,271
Working! Yes! It worked on Windows 8 X64 O.S. Do you have tutorial on how to use it properly?

Many thanks!
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Hmm Moose, this your link is good here ..at the end of the Google's address, delete your &usg= ... coordinates, please, OK.
My link in the first post is good, I hope ..
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Tutorial Moose?..

Do not touch anything, if you're not sure what you want to do (read Disclaimer, please), read only, if not pray. Because this is not a toy, far from it!

- the BEST short tutorial to all of you.
 

Naughty

New Member
Feb 22, 2013
5
upgrade free version on the 1.1 http://www.xuetr.com/download/PCHunter_free.zip

changelog
2013-02-28 V1.1:
*Added Sfilter enumeration feature
*Added FltMgr Filter enumeration feature
*Fixed several bugs.


new pro version http://www.xuetr.com/download/PCHunter_pro.zip
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Thank you Naughty for this good news!

I downloaded this second Free version of PCHunter v1.0.0.1 from the linxer's link translated in English - Download free version 2: Local Download (md5: 30D13591E6F1408F623C1AEDAC76D72D) - which you have in the first topic's post.

After have unzipped PCHunter_free.zip (3.31 MB, signed by Epoolsoft.com) on my Windows XP 32 bit, I click now on PCHunter32.exe (5.66 MB), which run smoothly like the precedent first version.

In the 'Other' tab, I see the New 'User Name' tab very interesting .. all user name accounts in the computer! With the posssibility to delete an account (with right click), perfect, thanks to the developer!

In the 'Setting' tab, the 'Manual Antivirus' section has changed it's name to 'Temporary configuration', so we always have the manual antivirus cases to notch and stay safe on this Wild Wild Web!
And Self protection cases are already enabled, like in the precedent version, perfect.

.. and the GUI is much bigger than in the first version!..

We look forward for the next Free versions, please!

EDIT: these changes added too in the first topic's post.
 

Gnosis

Level 5
Apr 26, 2011
2,779
PCHunter is straight wicked. That is all I can say.

Notice that the "other" tab under the "other" tab has a fix/scan/backup MBR function and a function to fix safe boot. Nice.

I use the "Kernel Module", "Ring 0", and "Startup Info" tabs the most. Under "Start up Info" you can see some items that task manager will not reveal, or at least I did.
PCHunter is the quickest way that I know of to see if something maliciously fishy is going on.
I use PCHunter to complement Comodo Killswitch and HitMan Pro when things don't seem right, or when I simply want to get quick intel for peace of mind; I can get a really good sense of the state of my system in under 5 minutes.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top