Rootkit Detection

Discussion in 'other security issues & news' started by cityman, Jul 25, 2005.

Thread Status:
Not open for further replies.
  1. cityman

    cityman Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    65
    recently i used Sysinternals- RootkitRevealer. it found over 45,000 discreptancies.

    it is a bit too much- i did it twice under two different circumstance. same result- many discreptancies. can anyone please advise?

    i also used F-Secure Blacklight beta and there was no rootkits found.

    i was going to use Samari also.. but still doing some research on it.

    i would use process guard but it only acts as a preventative. i was using tds3 with no problems found at all. however, since their announcement of non support- i switched to ewedo.

    --
    my thinking is: i am over my head in analyzing the 45,000+ discreptancies plus i really do not know this area. i do not have time to learn this.

    i think there might be an error in the program or something. 45,000 errors? i am extremely conscientious. i checked all my financial data and everything is the way it should be.

    i have kaspersky av, wireless zone alarm, spybot, lavasoft ad-aware, spysweeper as well as ewedo. this computer laptop is single, a non network connected and i use firefox.
     
    cityman, Jul 25, 2005
    #1
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    It's because of the ADS that Kaspersky 5.0's iStreams technology uses, try Unhackme instead, it will give you a detection (if there is something), instead of lot of info where you need to know what to look for.

    Btw.Which version did you use, 1.52 didn't show those 40000+ files that previous versions of RKR did.:)
     
    Don Pelotas, Jul 25, 2005
    #2
  3. cityman

    cityman Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    65
    thanks for the wonderful help about the Kaspersky's stream technology. much appreciated.

    i used the same version- the last version twice (which is the latest- i download it yesterday). i should have explained it more clearly. while RKR was scanning i was using many applications at the time. so when i saw the 45,000 detections.. i thought it was because the computer was "active". so the 2nd time while RKR was scanning, no programs was running. however, i still got the high detection count.

    i did use Unhackme and 4 suspected rootkits was found. it was-

    winsock - Google Desktop Search Backup Before First Install
    winsock2 - Google Desktop Search Backup Before First Install
    winsock - Google Desktop Search Backup Before Last Install
    winsock2 - Google Desktop Search Backup Before Last Install

    i have no idea if they were really rootkits but the name- Google- sort of assured me so i marked them - false positive.

    i wonder what would have happened if i would have deleted them? any idea?

    again thanks for the help and the advice.

    cm
     
    cityman, Jul 25, 2005
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...