Just seen this

But while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.

The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.

http://www.f-secure.com/weblog/#00000675


StevieO

i wonder if hacker defender can disable PG OA AE Prevx?

{QUOTE-> Just seen this

But while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.

The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.

http://www.f-secure.com/weblog/#00000675


StevieO <-QUOTE}Hi StevieO,

"In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates."

I suspect automatic updates will soon be on the Golden Hacker Defender wish list (and price list)...

Nick

{QUOTE-> I suspect automatic updates will soon be on the Golden Hacker Defender wish list (and price list)... <-QUOTE}And rootkit detectors will start using encryption/compression/code morphing to avoid signature detection by rootkits. Soon, it will be hard for security software to tell the two apart...

{QUOTE-> And rootkit detectors will start using encryption/compression/code morphing to avoid signature detection by rootkits. Soon, it will be hard for security software to tell the two apart... <-QUOTE}

Heck even "Security software" and not just rootkit detectors themselves will start doing stuff like that to protect itself.

Just like in real combat. Stealth is parmount. You don't want your opponent to see you until you are ready to act.

Having gotten their hands on Hacker Defender Gold is a pretty big thing. Before they were having to go about it bind, but now they have a sample that they can really reverse engineer to see how it's doing what it's doing.. this will greatly enhance thier ability to find a way of detecting it. It will definitely be interesting to see how it goes, and whether they share that sample.

{QUOTE-> Having gotten their hands on Hacker Defender Gold is a pretty big thing. Before they were having to go about it bind, but now they have a sample that they can really reverse engineer to see how it's doing what it's doing.. this will greatly enhance thier ability to find a way of detecting it. It will definitely be interesting to see how it goes, and whether they share that sample. <-QUOTE}

I can't see why they can't just annoymously pay for it, if they were really that desperate to get it. 500euro isnt much to a big company .

http://www.invisiblethings.org/tools.html

System Virginity Verifier is a new "rootkit detector" but more interresting to me is The powerpoint presentation. At the end she makes this statement about "implementation specific attacks"

{QUOTE->
Malware author decides to cheat particular detector
It can for example:
Hook IRP communication between detector and its kernel agent.
“Exploit” design bug in the detector
Cheat by hooking UI functions! (Win32 message hooking)
Detect particular process (by signature scanning) and replace it with own version – which looks the same but reports clear system
etc…

<-QUOTE}

{QUOTE-> Let’s say it aloud: they are ugly and stupid!
They cause people start asking existential questions (what’s the sense of all of this?!)
Such attacks are always possible against a particular program (even if the detector has no bugs) – so don’t confuse with bugs exploitation (Buffer Overflows and so) <-QUOTE}

{QUOTE-> The more (various) detectors exist on the market the less profitable such attacks are for the malware authors
Now the attacker starts acting just like his fellows from AV companies ;)
OMCD aims to stimulate more various tools to be created
For commercial tools: make use of the update feature to constantly introduce small changes into detector (communication interface, UI, exec signatures, etc…). This could be automated, but the program for doing this should be kept private by the company. <-QUOTE}

deviladvocate ?

Have you tried this new command line program by Johanna? If so what do you think?

controler

Do you think geniuses from both sides could get together and write a new Rootkit version of Windows that would actually work like it should and be secure?

Naaah.....Forgettaboutit....this is so much more fun! ;D

Devinco ?

ah yes it is way too much fun

It is all about the money , right?

Rested assured MS has some.

controler

users of unix and mac don't know what they are missing - they lead such quiet uneventful lives

the whole world of hacking is weird - the black hats and white hats regularly get together to share ideas. can you imagine the police and the criminals getting togther and sharing their strategies? ;D

hey crims we just figured out a new way of detecting you - wanna hear it?
yeah sure cop and wev'e got some new ways of avoiding detection wanna know?

{QUOTE-> deviladvocate ?

Have you tried this new command line program by Johanna? If so what do you think?

controler <-QUOTE}

I think everyone should try it. They will be surprised at what they find on their systems...

{QUOTE-> users of unix and mac don't know what they are missing - they lead such quiet uneventful lives
<-QUOTE}

Rootkits are actually from the unix world and until recently, they were way more advanced, not sure if it's true today.

I gave it a try.Service table redirection detected

warning level 2 ( yellow)

I don't know if you tried running it twice but I get loading driver error code = 0x422 on my VM test box.

controler

{QUOTE-> I gave it a try.Service table redirection detected

warning level 2 ( yellow)
<-QUOTE}

Interesting. What software are you running that might do that?

{QUOTE->
I don't know if you tried running it twice but I get loading driver error code = 0x422 on my VM test box.

controler <-QUOTE}

Possible conflict with vmware I think.

That is what I thought also on the driver thing. Running MS shared computer toolkit on this box and VMware on my other.
I knew Johanna had done some work on VMWare in the past. Don't think she has messed with MS's toolkit though.


Only security software I am running on this box is KIS beta.
It's proactiveness does ask to allow the driver the first time. To get it to work twice on here, I have to reboot though.

controler

Actually i'm pretty sure I'm rooted, I got a warniong level 4. (red)! :)

There's a small chance it's mistaken because of all the other security software i run that do all sorts of kernel hooking, but it's supposed to have some intelligence at telling the difference but maybe some of the good guys are hidden maybe..

I'm going to uinstall all the security software, I think that might relate, and tested again see, if it makes a difference. Unless, someone else can confirm.

Are going to to rerun it after each program to see which one is causing it?

Did you only use the command vss check without any other switches?

well, hi ho hi ho it's off to work I go. I will try more later.

DA ? you can always write to johanna and ask her opinion.

controler

{QUOTE-> Are going to to rerun it after each program to see which one is causing it?
<-QUOTE}

Yes definitely. Of course, there's a chance none of them are.....

{QUOTE->
Did you only use the command vss check without any other switches?
<-QUOTE}

the m switch shows the details, but they are beyond me.

{QUOTE->
DA ? you can always write to johanna and ask her opinion.

controler <-QUOTE}

Nah, I'm too shy. Don't want to waste her time.

Oh come on don't be a chicken. She says she trys to answer all e-mail.

Unless it is tagged spam , which could accour if you remain anynomyous. LOL

Time to come out of the closet DA......................

controler

SVV appears to work on my VMware W2K...

C:\svv>svv
System Virginity Verifier 1.0 (public), September 2005
written by Joanna Rutkowska
http://invisiblethings.org

svv <command> [options] [/l <altKernelModuleName>]
command is one of the following:
check - check system virginity
fix - try to fix suspected modifications (disinfection)

following options are supported:
/a verify ALL modules (may cause false positives)
/m show details about modifications
/c show also clean modules
/d leave driver after finished
/t <n> fix to target verdict level = n (valid for fix command)

C:\svv>svv check /a
audstub.sys (f41eb000 - f41ec000)... error code = 0x490
Null.SYS (f4200000 - f4201000)... error code = 0x490
dump_diskdump.sys (bfde1000 - bfde5000)... Image file not found!
dump_vmscsi.sys (bfdd9000 - bfddc000)... Image file not found!

SYSTEM INFECTION LEVEL: 1
0 - BLUE
--> 1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

...but stops quickly with this error on XP SP2, virtual or not, clean install or not:

C:\svv>svv check /a
Following important modules cannot be found:
ntoskrnl.exe

ERROR (code = 0x2): Important modules not found

Nick

Johanna put out a program a few months ago and none here commented on it.
Guessing the same goes here.

Now some are even saying it IS a rootkit.

controler

{QUOTE-> Johanna put out a program a few months ago and none here commented on it.
Guessing the same goes here. <-QUOTE}

I believe that was FLISTER, which does work well.

{QUOTE-> Now some are even saying it IS a rootkit. <-QUOTE}

Maybe it's because these apps install drivers, or maybe it's just fear of the command line. I ran IceSword 1.12 today on an infected machine, and McAfee blocked it as a trojan...

(that's right, McAfee was running on the infected machine)

Nick

{QUOTE-> Johanna put out a program a few months ago and none here commented on it.
Guessing the same goes here.
controler <-QUOTE}

Command line tools are not popular here. They look dangerous and hackerish.

Nick, I don't get the error you get.

Boclean was flagging the older IceSword also. Kevin took a peek at it and I think it was flagged for using a peice of other hacker code. He did say they weren't doing anything bad though.

Ah yes command line tools. That is all I knew when first using computers.
Back in the day when we thought chkdsk compared files bit for bit.;D
and all we had was basic programming language and batch files. Computer science was Cobol and Fortran LOL

controler

{QUOTE-> Rootkits are actually from the unix world and until recently, they were way more advanced, not sure if it's true today. <-QUOTE}I'm pretty sure UNIX rootkits are still much more complex than their Windows counterparts. They have been around, like... forever...

{QUOTE-> SVV appears to work on my VMware W2K...

...[deleted]
...but stops quickly with this error on XP SP2, virtual or not, clean install or not:

C:\svv>svv check /a
Following important modules cannot be found:
ntoskrnl.exe

ERROR (code = 0x2): Important modules not found

Nick <-QUOTE}
Hi Nick,

ntoskrnl.exe locations for WinXP Pro SP2:
C:\Windows\$NTUninstallKB890859$
C:\Windows\system32
C:\Windows\Driver Cache\i386
C:\Windows\$hf_mig$\KB890859\SP2QFE

-- Tom

{QUOTE-> Are going to to rerun it after each program to see which one is causing it?

controler <-QUOTE}

I'm a idiot. I installed about half the apps (including almost all protection software) on my box with no difference, until it hit me. Blinding obvious , once I realised what was causing the problem.

Okay so I'm not rooted (probably).

{QUOTE-> "In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates."

I suspect automatic updates will soon be on the Golden Hacker Defender wish list (and price list)... <-QUOTE}It seems like there'll always be a cat & mouse scenario between the two sides. As if anybody hasn't got better things to do with their time. :o

Well, well..
Here I am stumbling around with these apps:

Have run SVV and been given 3 DEEP RED warnings!!

Have run Ice Sword and it shows up a couple of RED entries in the SSdt lists!

Now What?

Have scanned with RKDetector:Clear
Rootkit Revealer: Clear
UnHackMe: Clear.
F-secure: Clear
All AV scans clear including KAV online scan.

Have googled unsuccessfuly to try and find out about SVV and I-S entries with no real success>

Having fun so far but having expected a "clean" report from both, am Now wondering what I may have stepped in!

Any help please

Regards

wow longbeard, it looks like you are in trouble.

I can help you rule out if it is a false positive if you post more details. In particulalr the name of file in the SSDT section of icesword that is in red.

Hi Longboard,

It seems that more there's rootkit detectors, and more users are afraid of rootkits...

HackerDefender is the most used in the wild.
And UnHackMe is quite good for detection of most usual rookits (not paid ones).

If you use IceSword, any hidden process is marked and shown in red (see the image).

For SVV, you're really infected if the level is 5.
3 does not mean that you're infected by a rootkit, because some legitimate programs use hook modules (AV, HIPS etc).

The SSDT just shows files integrated in the Kernel.
It's often the case for products that which work on a low-level such as ProcessGuard, AntiHook, Samurai, SandBoxie (see the image) and so on.
It's not an indication of a rootkit infection.

And if you're really infected by a rootkit and if you know the name of the hidden service, then various windows command can be used against the rootkit:
SC DELETE, NET STOP and so on...

Regards

{QUOTE-> Hi Longboard,

It seems that more there's rootkit detectors, and more users are afraid of rootkits... <-QUOTE}

Yes, sadly we are all not as knowledgable as you.

{QUOTE->
For SVV, you're really infected if the level is 5.
3 does not mean that you're infected by a rootkit, because some legitimate programs use hook modules (AV, HIPS etc). <-QUOTE}

I got a warning level 4 which is RED. Supposedly the system is most probably infected, because the module file causing this is hidden. Turned out it was caused by Dameon tools, the very same entry that appears in rootkit revealer. So in my book this isn't a false positive. After removing that, I got a warning level 2.

Longbeard does seem to be screwed, since SVV gives him a warning level 5 which is Deepred.

His icesword results look clean though. It's showing processguard and Kerio 4 hooking.

OK guys

Lets see what I've got:o

Ice Sword process monitor shows nothing hidden.

See attached for SSdt monitor and SVV Level 5 detection.

SVV image had to be uploaded separately

Regards
(with breath held)

Here is the SVV screen.

Note the first time I ran SVV I got two Deep Reds and three Level 2 detections.

?FPs

Regards
(still holding breath)

OOps
just ran the module checker

See attached for results.

If it makes any difference I am working off a restored Ghost image at the moment

Regards
(getting very blue in the face)

Long board?

are you using Anti-Keylogger? That will show as an unknown in IceSword.
Have you tried dropping to command prompt and typing DIR/S and saving that to a text file. Then booting from a BartPE CD and doing another DIR/S and saving that to a txt file, then using a file compare program to compare those two txt files?

kareldjag? doesn't the SSDT also show drivers besides programs?

controler

HI guys, sorry to hijack this thread but while i was trying to use SVV, i got this error similar to nicks-->

C:\svv>svv check /a
Following important modules cannot be found:
ntoskrnl.exe

ERROR (code = 0x2): Important modules not found

I was wondering is there away to fix this error and get the program to work on my comp? i would be really greatful for any help,

Reagards Tom

Controler:
LOL
Thankyou for your suggestions

I am not even sure what language you are using!
Humble home user here
Point and click and a little extra.
I ran the SVV using your point by point instructions for cmd line in the other thread.

I was hoping some one might be able to interpret the scan findings!!
I will probably try Windiff. Only problem will be whether I can understand that!

Well out of depth here:o

? will SVV +/- IS become the new HJT?
Us newbs better steer clear for a while.

Regards

Tom ? did you get that error the first time you run SVV or on a second try?
I found on my VM machine, I can only run it once and then I have to reboot to run it again.

Longboard?

I think the not too distant future rootkit detectors will use a boot disk as part of
the detection and removal. There is some interesting things in the works ;)

I think detection is important but believe prevention is the real way to go.

Unless a programmer can assure the home user that the rootkit was cleaned and there is no stability problems after, I think the only way to go right now is to reformat. Microsoft's Mike Danseglio, explains why in his presentation webcast.
If you look at old threads here on rootkits, some of us posters were shunned for speaking of them, saying oh they do not exist that much in the wild ect.
Now they ARE being used by adware,spyware ect companies which IS big buisness and some some script kiddy in his room after school. We were accused of ascre mongering.
Even back before that I not only preached reformating but also said I usualy reflash my BIOS at the same time.
If you watch Mike's webcast, you will see he talks about the rootkits that hide in RAM such as a video card. In this case you would have to reflash your video card memory also before format.
Mike tells of all the support calls Microsoft gets each week from IT people that are infected with a rootkit. His advice to them is to nuke the hard drive
and explains why.

For those that have not watched the webcast, I highly suggest it and also should read an article by Jamie.
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

http://www.phrack.org/show.php?p=63&a=8

controler

{QUOTE-> Tom ? did you get that error the first time you run SVV or on a second try?
I found on my VM machine, I can only run it once and then I have to reboot to run it again.

Longboard?

I think the not too distant future rootkit detectors will use a boot disk as part of
the detection and removal. There is some interesting things in the works ;)

I think detection is important but believe prevention is the real way to go.

Unless a programmer can assure the home user that the rootkit was cleaned and there is no stability problems after, I think the only way to go right now is to reformat. Microsoft's Mike Danseglio, explains why in his presentation webcast.
If you look at old threads here on rootkits, some of us posters were shunned for speaking of them, saying oh they do not exist that much in the wild ect.
Now they ARE being used by adware,spyware ect companies which IS big buisness and some some script kiddy in his room after school. We were accused of ascre mongering.
Even back before that I not only preached reformating but also said I usualy reflash my BIOS at the same time.
If you watch Mike's webcast, you will see he talks about the rootkits that hide in RAM such as a video card. In this case you would have to reflash your video card memory also before format.
Mike tells of all the support calls Microsoft gets each week from IT people that are infected with a rootkit. His advice to them is to nuke the hard drive
and explains why.

For those that have not watched the webcast, I highly suggest it and also should read an article by Jamie.
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

http://www.phrack.org/show.php?p=63&a=8

controler <-QUOTE}
Hi controler, The first time i tried to run SVV I got that error, so i tried it again and the same thing happened. I then put it in system32 folder then ran it and got a error that said it couldn't load a driver, so not sure what to do! If you have any suggestions, im running XP Pro/Home SP2

Regards Tom

Tom

You could try running it from your desktop. Maybe the program is not ment to run from the C:/ root DIR.

Give it a try and also are you running other security software at the same time such as PG ect?

controler

AS Da mentioned Johanna doesn't seem to care to much about Wilders or she would post I would think. Guess she has her special little spot on the net where she only posts.

controler

{QUOTE-> Tom

You could try running it from your desktop. Maybe the program is not ment to run from the C:/ root DIR.

Give it a try and also are you running other security software at the same time such as PG ect?

controler <-QUOTE}Thanks controller, didnt think about PG> I will give it a try, i pretty sure im clean but i was interested in trying it out and seeing what it showed. Thank you very much for your help,

T

{QUOTE-> Thanks controller, didnt think about PG> I will give it a try, i pretty sure im clean but i was interested in trying it out and seeing what it showed. Thank you very much for your help,

T <-QUOTE}Hi controller, i disable PG and this is what i got;

C:\>svv check /a
ntoskrnl.exe (804d7000 - 806eb100)... Null.SYS (f9b2f000 - f
9b30000)... error code = 0x490
mnmdd.SYS (f9a50000 - f9a52000)... error code = 0x490
RDPCDD.sys (f9a52000 - f9a54000)... error code = 0x490
dump_atapi.sys (f46b0000 - f46c8000)... Image file not found!
dump_WMILIB.SYS (f9a84000 - f9a86000)... Image file not found!

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

Regards T

{QUOTE-> AS Da mentioned Johanna doesn't seem to care to much about Wilders or she would post I would think. Guess she has her special little spot on the net where she only posts.

controler <-QUOTE}

Pretty typical really. The really skilled people seldom want to waste their time posting in the backwaters of a mere 'user forum', unless there is some commercial interest at play.

Just wondering...
Did anybody get achance to look at the results of my IS and SVV scans?

Any comments?

Regards

{QUOTE-> Just wondering...
Did anybody get achance to look at the results of my IS and SVV scans?

Any comments?

Regards <-QUOTE}Hi ,

What i have found with SVV is if you are running PG free or paid you cant run SVV, but if you uninstall it you get a rating of yellow. Also if you install Spyware doctor you get a rating of deepred in SVV due to the Kernel being Modified?,

Just thought i would let people know,

T

Longboard, Are you running Kaspersky's Suite?

controler

{QUOTE->

If you use IceSword, any hidden process is marked and shown in red (see the image).

<-QUOTE}are any of these rootkits?

http://img387.imageshack.us/img387/6559/root6ti.jpg (http://imageshack.us)

{QUOTE-> are any of these rootkits?

http://img387.imageshack.us/img387/6559/root6ti.jpg (http://imageshack.us) <-QUOTE}Assuming you have Process Guard (procguard.sys), RegDefend (ghostsec.sys) and PrevX (pxfsf.sys) installed, no.

@Controler: No

Regards.

Hello,
I tried these little tools on a machine I personally formatted and installed from a scratch. Installed all updates blah blah etc ... tons of security etc ... I get the deep red code using svv. Among others:
ntoskrnl.exe code 4
kernel32.dll code 5
Well, what can I say? Not everything must be bad...
I believe these results, but I do not think the findings are bad. I would suggest all of us who cannot instantly traslate A4F into decimal to let these fear rest aside. Rootkit tools, the entire army of them (svv, is, blacklight, unhackme etc) are too ambigious to use everyday. And playing with these tools is dangerous. Deleting kernel modules is not a healthy thing. It's not like removing a simple file from some folder you think might be infected.
To all guys who have gotten "bad" results:
Ask yourself what you do with your computers? Do you really think you're infected? Does it sound logical that you would be infected with rootkit and nothing else at all? With all the security precautions and software you use, only a tiny tiny rootkit somewhere in there? Don't let paranoia haunt you.
One more thing:
If someone really wants to test these tools:
Format a machine, set it up from a cd-rom with burned software, including all your favorites. Update windows only and all other security applications to the max. Don't surf at all except the single visit to microsoft update. Then run these tools. It could be interesting.
Mrk

{QUOTE-> Originally Posted by 23rwef
are any of these rootkits? <-QUOTE}

Don't all those security apps work at a kernel hooking level?

Now you have 3 hooking the kernel. I wonder how stable that is?

If you are going to run these new rootkit tests, you need to disable PG, prevex & regdefend. You need to disable any other apps working at the kernel level.

controler

Hi,

Just a few informations about how to use IceSword to detect a rootkit:

-launch it from external drives (floppy disk, CDRom and so on);

-launch MSCONFIG and check the last box (any unnecessary service and program will be disabled), and rebbot the PC;

-take a look firstly at Win32Services (see the image attached) and processes.
Then it can be suited to investigate the registry (HKLM\SYSTEM\ControlSet001\Services) and kernel modules (to detect a suspect or unknown driver).

Longboard and 23rwef are concentrated only in SSDT, but many legitimate softwares operate at a low level and use kernel drivers.
Consequently, this is not the most important.
If we use for instance a tool like SDTRestore ( http://www.security.org.sg/code/sdtrestore.html ), we can fix SSDT entries for most programs (then will not be shown in red by IceSword).

For the Longboard problem, perhaps there's an uncomplete uninstallation of an ISS Scanner (the driver has the same name).
SDTRestore can also be used in this case.
But with SVV, the most important result concerns EnumServiceStatus, which can be a sign of an hidden service.

The best defense against rootkits is PREVENTION.
Once one is detected, it's often too late: bad things are probably already done...

I've finished an article about "Rootkit free countearmesures" with examples of detection and prevention that i 'll link here if members are interested.

Regards

Perhaps with this link

http://idata.over-blog.com/0/03/91/26/septembre/artrtkt/hdserv.jpg

regards

kareldjag's

Nice read but ur second link don't work for some reason.

controler

{QUOTE-> The best defense against rootkits is PREVENTION. <-QUOTE}http://www.rsjones.net/img/guard1.jpg


{QUOTE-> I've finished an article about "Rootkit free countearmesures" with examples of detection and prevention that i 'll link here if members are interested. <-QUOTE}Please do!

regards,

-rich
________________
~~Be ALERT!!! ~~

Oh yes I am excited to read your article as always ;D
would be good for the readers here. ;)

controler

Hi kareldjag,

Yes i'm really looking forward to your Rootkit free countermeasures article too.

I value your research and website highly.

I DL the 2 SDTRestore Apps from the link you gave, but Version 0.2 made my AV kick in ? I uploaded to Jottis and here's a combo Screen Shot of both results.

http://img482.imageshack.us/img482/568/sdttrojan0oc.png (http://imageshack.us)

I wonder if you know whether it's an FP ? as i'm presuming it is !


StevieO

This thread gets more and more interesting.
Looking forward to K'djags article/review

Forgive my ignorance...

To use the SSDT patch utility do all other apps need to be switched off?
What if the app "repairs" a legitimate hook.
Will that not disrupt the other app which would have required that particular hook?

Regards

Umm;
What is an ISS scanner?

Regards

Hi Longboard,

Re your - What is an ISS scanner?

It might have been a typo and meant IS = IceSword

Or IDS = Intrusion Detection System


StevieO

Hi,
ISS - internet sharing server.
Mrk

No internet sharing enabled AFAIK

Ice Sword enabled and scanner run prior to SVV.

Regards

{QUOTE-> No internet sharing enabled AFAIK

Ice Sword enabled and scanner run prior to SVV.

Regards <-QUOTE}

ISS is not ICS.
Internet Connection Sharing - home network.
Internet Sharing Server - you run server on your machine ...
Mrk

Hi,

Sorry for the vagueness about ISS.
This a well known security firm ( http://www.iss.net/ ) which provides products mostly intented to be used in a corporate environment (IPS/IDS, vulnerability scanner etc).
But this society is also well known by home users for BlackIce firewall.
Then perhaps (never try BlackIce) the ISS driver shown by IceSword is due to an uncomplete uninstall of this product.

It is quite strange that IceSword does not locate the file.

Longboard can try some Windows commands such as:

-start + execute + "devmgmt.msc " + enter
Then enable the option "show hidden peripherals" on the "view" menu, and on the list of peripherals, click on non Plug and Play devices.

-start + execute + "verifier", then next + next to check for unsigned devices.

The first goal is to locate this driver on your system.
And if it can be found by Windows, this probably not a rootkit.

For SDTRestore, this not a malware or even a riskware.
If we check a leaktest like "leaktest" from GRC, it will also be detected by AVs.
It's just important to know exactly what this file do or not.

Controler, here again an attached image.

regards

{QUOTE-> I think everyone should try it. They will be surprised at what they find on their systems... <-QUOTE}
How do you get this to work? Is there a list of cmd lines published somewhere?

Me thinks some posters don't understand alot of younger people have no clue over DOS commands.

I just love to see alot of old timers are still using batch files LOL

here is an ATABOY.......

{QUOTE-> Me thinks some posters don't understand alot of younger people have no clue over DOS commands.

I just love to see alot of old timers are still using batch files LOL

here is an ATABOY....... <-QUOTE}Can I be an "older people" that's new to computers?

You sure can

I am guessing you spent more of your life living life then the rest of us who sit night and day in front of a computer. Well except during fishing season or deer hunting anyway.

In my younger life, I thought all that was important was,,, eating great food, Sex, Fishing and hunting, then something threw a new link in the chain. that was the damn internet.

So now all things revolve around, eating, sex, hunting , fishing and the internet.

Wanna play hardware games?

Wanna play digital mania?

Let's look at hardware besides software k?

So no one can direct me to some command lines so I can try this thing? Please?

Here is cmd line access for running SVV (Courtesy of Controler)

In case some don't know much about the command line, here is a simple way to run it.

If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

Then go to assessories, command prompt., open the DOS window.

Type cd desktop\svv

type svv

you will then get a list of switches such as /a ect.

type svv check or type svv check /and a switch such as a.

use a space after svv and before the switch, such as

svv(space)check(space)/a

Regards

I can confirm having both Kerio 4 and PG causes a severe false alarm.

But this is only a tool which "detects hooking" afterall. It does not "detect malware" so please be careful with it.

I am surprised though, that it hasn't been tested on a known clean system with a few firewalls and programs like PG, then adjusted so it won't give such BIG RED WARNINGS about legitimate programs. It wouldn't take long to test and would then be a REALLY good tool, instead of one just causing confusion!