Golden Hacker Defender Game Over ?

Boclean was flagging the older IceSword also. Kevin took a peek at it and I think it was flagged for using a peice of other hacker code. He did say they weren't doing anything bad though.

Ah yes command line tools. That is all I knew when first using computers.
Back in the day when we thought chkdsk compared files bit for bit.
and all we had was basic programming language and batch files. Computer science was Cobol and Fortran LOL

controler

 

I'm pretty sure UNIX rootkits are still much more complex than their Windows counterparts. They have been around, like... forever...

 

Hi Nick,

ntoskrnl.exe locations for WinXP Pro SP2:
C:\Windows\$NTUninstallKB890859$
C:\Windows\system32
C:\Windows\Driver Cache\i386
C:\Windows\$hf_mig$\KB890859\SP2QFE

-- Tom

 

I'm a idiot. I installed about half the apps (including almost all protection software) on my box with no difference, until it hit me. Blinding obvious , once I realised what was causing the problem.

Okay so I'm not rooted (probably).

 

It seems like there'll always be a cat & mouse scenario between the two sides. As if anybody hasn't got better things to do with their time.

 

Well, well..
Here I am stumbling around with these apps:

Have run SVV and been given 3 DEEP RED warnings!!

Have run Ice Sword and it shows up a couple of RED entries in the SSdt lists!

Now What?

Have scanned with RKDetector:Clear
Rootkit Revealer: Clear
UnHackMe: Clear.
F-secure: Clear
All AV scans clear including KAV online scan.

Have googled unsuccessfuly to try and find out about SVV and I-S entries with no real success>

Having fun so far but having expected a "clean" report from both, am Now wondering what I may have stepped in!

Any help please

Regards

 

wow longbeard, it looks like you are in trouble.

I can help you rule out if it is a false positive if you post more details. In particulalr the name of file in the SSDT section of icesword that is in red.

 

Hi Longboard,

It seems that more there's rootkit detectors, and more users are afraid of rootkits...

HackerDefender is the most used in the wild.
And UnHackMe is quite good for detection of most usual rookits (not paid ones).

If you use IceSword, any hidden process is marked and shown in red (see the image).

For SVV, you're really infected if the level is 5.
3 does not mean that you're infected by a rootkit, because some legitimate programs use hook modules (AV, HIPS etc).

 

The SSDT just shows files integrated in the Kernel.
It's often the case for products that which work on a low-level such as ProcessGuard, AntiHook, Samurai, SandBoxie (see the image) and so on.
It's not an indication of a rootkit infection.

 

And if you're really infected by a rootkit and if you know the name of the hidden service, then various windows command can be used against the rootkit:
SC DELETE, NET STOP and so on...

Regards

 

Yes, sadly we are all not as knowledgable as you.

I got a warning level 4 which is RED. Supposedly the system is most probably infected, because the module file causing this is hidden. Turned out it was caused by Dameon tools, the very same entry that appears in rootkit revealer. So in my book this isn't a false positive. After removing that, I got a warning level 2.

Longbeard does seem to be screwed, since SVV gives him a warning level 5 which is Deepred.

His icesword results look clean though. It's showing processguard and Kerio 4 hooking.

 

OK guys

Lets see what I've got

Ice Sword process monitor shows nothing hidden.

See attached for SSdt monitor and SVV Level 5 detection.

SVV image had to be uploaded separately

Regards
(with breath held)

 

Here is the SVV screen.

Note the first time I ran SVV I got two Deep Reds and three Level 2 detections.

?FPs

Regards
(still holding breath)

 

OOps
just ran the module checker

See attached for results.

If it makes any difference I am working off a restored Ghost image at the moment

Regards
(getting very blue in the face)

 

Long board?

are you using Anti-Keylogger? That will show as an unknown in IceSword.
Have you tried dropping to command prompt and typing DIR/S and saving that to a text file. Then booting from a BartPE CD and doing another DIR/S and saving that to a txt file, then using a file compare program to compare those two txt files?

kareldjag? doesn't the SSDT also show drivers besides programs?

controler

 

HI guys, sorry to hijack this thread but while i was trying to use SVV, i got this error similar to nicks-->

C:\svv>svv check /a
Following important modules cannot be found:
ntoskrnl.exe

ERROR (code = 0x2): Important modules not found

I was wondering is there away to fix this error and get the program to work on my comp? i would be really greatful for any help,

Reagards Tom

 

Controler:
LOL
Thankyou for your suggestions

I am not even sure what language you are using!
Humble home user here
Point and click and a little extra.
I ran the SVV using your point by point instructions for cmd line in the other thread.

I was hoping some one might be able to interpret the scan findings!!
I will probably try Windiff. Only problem will be whether I can understand that!

Well out of depth here

? will SVV +/- IS become the new HJT?
Us newbs better steer clear for a while.

Regards

 

Tom ? did you get that error the first time you run SVV or on a second try?
I found on my VM machine, I can only run it once and then I have to reboot to run it again.

Longboard?

I think the not too distant future rootkit detectors will use a boot disk as part of
the detection and removal. There is some interesting things in the works

I think detection is important but believe prevention is the real way to go.

Unless a programmer can assure the home user that the rootkit was cleaned and there is no stability problems after, I think the only way to go right now is to reformat. Microsoft's Mike Danseglio, explains why in his presentation webcast.
If you look at old threads here on rootkits, some of us posters were shunned for speaking of them, saying oh they do not exist that much in the wild ect.
Now they ARE being used by adware,spyware ect companies which IS big buisness and some some script kiddy in his room after school. We were accused of ascre mongering.
Even back before that I not only preached reformating but also said I usualy reflash my BIOS at the same time.
If you watch Mike's webcast, you will see he talks about the rootkits that hide in RAM such as a video card. In this case you would have to reflash your video card memory also before format.
Mike tells of all the support calls Microsoft gets each week from IT people that are infected with a rootkit. His advice to them is to nuke the hard drive
and explains why.

For those that have not watched the webcast, I highly suggest it and also should read an article by Jamie.
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

http://www.phrack.org/show.php?p=63&a=8

controler

 

Hi controler, The first time i tried to run SVV I got that error, so i tried it again and the same thing happened. I then put it in system32 folder then ran it and got a error that said it couldn't load a driver, so not sure what to do! If you have any suggestions, im running XP Pro/Home SP2

Regards Tom

 

Tom

You could try running it from your desktop. Maybe the program is not ment to run from the C:/ root DIR.

Give it a try and also are you running other security software at the same time such as PG ect?

controler

 

AS Da mentioned Johanna doesn't seem to care to much about Wilders or she would post I would think. Guess she has her special little spot on the net where she only posts.

controler

 

Thanks controller, didnt think about PG> I will give it a try, i pretty sure im clean but i was interested in trying it out and seeing what it showed. Thank you very much for your help,

T

 

Hi controller, i disable PG and this is what i got;

C:\>svv check /a
ntoskrnl.exe (804d7000 - 806eb100)... Null.SYS (f9b2f000 - f
9b30000)... error code = 0x490
mnmdd.SYS (f9a50000 - f9a52000)... error code = 0x490
RDPCDD.sys (f9a52000 - f9a54000)... error code = 0x490
dump_atapi.sys (f46b0000 - f46c8000)... Image file not found!
dump_WMILIB.SYS (f9a84000 - f9a86000)... Image file not found!

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

Regards T

 

Pretty typical really. The really skilled people seldom want to waste their time posting in the backwaters of a mere 'user forum', unless there is some commercial interest at play.

 

Just wondering...
Did anybody get achance to look at the results of my IS and SVV scans?

Any comments?

Regards