Rootkit Revealer V1.5 !!

Hi,

I upgraded to the 1.5 version of Rootkit Revealer last night & I've noticed a couple of differences as compared to the previous version.

Firstly, I am no longer asked whether I want to run the newer version when it starts up to scan by WinPatrol or any other startup monitoring program. The previous version had a different .exe name each time a new scan was initiated.

Also, with this version I can't access the help file menu from the program, as I could before, I keep getting an " Unable to open Help File " alert. However, it is possible to open the help file from the actual program file folder.

I uninstalled and reinstalled the program using a different browser each time .... but these 2 issues have remained.

Has anyone else encountered these problems ?

HR

 

Re: RootkitRevealer V1.5 !!

I haven't used Rootkit Revealer, HR....but your posts gives me an opportunity to ask you a question about it. It's my understanding that this program will DETECT, but not actually remove rootkits....is that correct? What can you tell me basically about this product, and whether or not it is easy to use and understand, efficient and effective, etc., etc.?

 

Hi,

In all honesty, JR .... I have not had the program for very long. It is very easy to run once installed.

However, interpreting the results is another story. With the 1.4 version I had only one detection (not a rootkit ... so I later found out). This detection was flagged as a data mismatch between Windows API and raw hive data.

What this means (in normal layman's terms) is that while the RR scanner was running, a registry value changed ... which is normal for some legitimate programs (it was a Microsoft program that apparently does this continuously, so there was no rootkit).

The new 1.5 version has made several more mismatch detections on top of the one stated above with 1.4 & although I have only looked at some of them ... they do NOT appear to be rootkits.

The RR Help Menu explains how to interpret data mismatch detections ... but again ... speaking for myself I find all of this a bit too technical for my knowledge level of PC's at the moment.

I also have UnHackMe, which is very simple to use & Black Light Beta, also very simple to use.

These 2 programs inform me that my PC is rootkit free !!

Frisk is another good program ... but more complicated to run. It also informs me that there are no rootkits installed.

Getting back to my problems in my original posting ... I am hoping someone will respond as these differences between the 1.4 and 1.5 versions really concern me.

If you should decide to download version 1.5 ... please inform me if you experience either of the two issues I have mentioned. Even by P/M should you choose.

I hope some of this information helps you !!

HR

 

Hi JR

You are right that rootkit revealer is only a detection tool, and will not remove the rootkit.

Also, while it is easy to use (you just press scan), the return data from the scan is not easy to interpret...it does NOT return a 'Rootkit Detected' / 'No Rootkit Detected' message. Instead it uses the concept of comparing 'lists' of programs from different areas on your computer, with the idea that the way to detect rootkits (which try to hide their processes) is by comparing these lits and looking at the discrepancies (what is in one list but not in the other list)...it just gives you a readout of those discrepancies.

F-secure's Backlight I understand returns a 'rootkit found/not found' message, but it's about to run out of beta (either June 30, or July 31, can't remember)

edit : Beaten to the post

 

I do now have Winpatrol on my computer but version 1.5 still starts a random .exe process when you run it, this is a technique to avoid detection by rootkits. As to why WP does not alert you to it trying to run anymore, my best guess would be that the new version of RR is better about hiding itself while running, which is good because that means there is less of a chance for a rootkit to detect it running. As for the help file, mine opens fine from within the program, don’t know why your does not.

 

I think we are supposed to look for executables in a "Hidden from Windows API" discrepancy - especially if the timestamp is inconsistent. I guessing as I'm guilty of only skimming over the interpretation section and from memory of former discussion.

BTW, I have Prevx and process guard pop ups when starting the app. (allow driver install)

 

Hi,

I have now installed the 1.51 version of Rootkit Revealer & no longer have the .exe issue. WinPatrol alerts me each time RR starts up.

The problem with the help menu remains. I have posted at the Sysinternals forum .... where I see other users have the same problem.

I guess you are lucky Matt_Smi.

HR