Any good free programs to prevent rootkits?

Hi,

Yes, early they have only Start folder, after that registry Run keys. Now they use services, drivers and a lot of other system holes.
But they need to start automatically.
It's important!
It may be a hole in the Windows startup or an infected system file.
This is assured way to allows a virus leave on your computer.
An infection via network like a Blaster is not effective, because the computer may be simply disconnected from network.

We need to control auto startup.

Dmitry

 

Hi all,

I am trialing the new version of UnHackMe and received the following alert. How do I follow-up to determine whether this is a real rootkit or just a false positive? I do have ProcessGuard 3.0 installed with RootKit prevention. Thanks for the help.

Rich

 

Hi,

Make another scan with RootkitRevealer which also detects this aphex's rootkits.
If the result is the same, you're really infected (it seems the case).

So remove the service, registry entries ( etc) with UnHackme.

Make an audit (trojan scan, listening ports) of your system to see if there's not an hidden backdoor.

Good luck.

Regards

 

Hi richrf,

Could be a false positive since the Start value is set to "3", which means manual startup (Registry entries for services). I would have expected it to start automatically. You could check to see whether or not the key is visible in regedit. If it is, check what the ImagePath value is.

Nick

 

Hi guys,

Thanks for the help so far.

I ran RootKitRevealer and it did not alert me to anything referring to this particular key. There were many other alerts concerning KAVICH ADS and one referring to a temp file in my local settings directory. But nothing indicating anything about this particular registry entry. That is why I was thinking it may be a FP.

As Nick recommended, I searched the registry with regedit. The key was found as it is listed in the screen shot and the associated parameters were also as indicated in the screen shot. I did not find an ImagePath value.

Any ideas about a next step. I did send the screen shot to Greatis. I am thinking that it is a new product and subject to FPs as are most products that attempt to use some sort of heuristics to identify malware. What do you guys think?

Thanks, as always, for your assistance.

Rich

 

I would first export and save the key (right-click, then export). Then delete it and reboot. If nothing breaks and you see no errors in your event logs, I would forget about it and wait for Greatis' response. If something does break, then just double-click the saved key to restore it. With no ImagePath value (path to an executable), I doubt you will have any problems.

Nick

 

Hi nick,

Thanks for your recommendation. It seemed pretty safe to try out your idea, so I went ahead and saved/deleted the entry and rebooted. There does not seem to be any problems and UnHackMe no longer alerts me with the message. I will let everyone know what type of response I get from Greatis. Thanks for your help.

Rich

 

Just as a final follow-up, I never heard back from Greatis on this possible FP. I have no idea why this registry entry was flagged and I doubt it was a real rootkit. I uninstalled UnHackme because of the lack of support. If anyone has any further comments concerning Greatis, UnHackme, and support, I would appreciate it. For now, I think that PG is probably enough protection and support from DiamondCS has always been excellent.

 

Hi Jason . Am I to take from this that PG already offers extreme protection against the installation in the first place ?

 

http://www.europe.f-secure.com/exclude/blacklight/fsbl.exe

Good one and since it is in beta, still free.

 

Not sure about free but have you checked out MrP's lists here; https://www.wilderssecurity.com/showthread.php?t=69658

 

Are rootkits not able to install on Win 9x? I notice all these application's that are hitting the scene, and not a one of them works on Win 9x. Is this because they can't be detected generically on these OS's or is it just the author's can't be bothered coding a rootkit detector thats compatible with Win 9x? Or are the Win 9x OS's immune to rootkits? If Win 9x can have rootkits then why are there no rootkit detectors for these OS's?

muf

 

Win9x/ME has no "kernel mode" like Win2K/XP/2K3 does - so every piece of malware on a Win9x/ME system is effectively a rootkit, able to amend Windows system files without restriction.

 

But if you have a rootkit on a Win9X machine, will you be able to spot it? The only advanced tools that I know are TDS and TrojanHunter. And I didn't even know that the rootkits don't run on 9x.

 

If the malware took appropriate steps to conceal itself on Windows 9x/ME, then the only sure way of finding it would be to start your system with a known clean setup (e.g. a write-protected boot floppy, Linux CD-ROM) and run a complete scan with that.

Given Win9x/ME's decreasing popularity, it is less likely that someone would target these in such a way, but it is possible.

 

That's Window's kernel of course. It just does not use the "kernel mode" (aka Ring 0) privilege level on CPUs to protect itself from "user mode" (Ring 3) programs - which is why an errant program can blue-screen a Win9x/ME system but not an NT/2K/XP one (drivers and services which run at ring 0 are another matter though).

 

But it's fair to say that most rootkits will make a Win9X crash a lot of times? And there really arent't any tools (like F Secure Blacklight) to spot them on Win9x?

And btw, I was thinking that perhaps it's also possible to spot a rootkit on Win9X by monitoring the user resources? Because a rootkit is also using resources, correct? And any win9x machine will crash if user resources are under 5%.

 

LOL, you do know that the idea of a rootkit is to hide itself. If it doesnt appear on the normal task monitors, how do you "monitor users resources" ?

 

What I meant was the following: at the moment my system always starts with 58% user resources available, so if it suddenly starts at 50% with the same configuration it's already a bit strange.

And let's say a rootkit also hides it's own resource usage, and the rootkit uses about 10% of resources. I think that your system will then probably crash at 10%, because in fact you have 0% left. And that would be strange. I'm no expert but it's just an idea.

 

If it is completely hidden it will not appear at all, to the task monitor it does not exist, so it will display user resources as if the rootkit was not running. So it will still show 58%.

Besides I highly doubt if a 8% difference is enough for you to figure out if something is wrong. Espically on a win 98 machine.

I'm know I'm a clueless newbie, I dont know what you are .

 

Is there a tool that scans registries for hidden processes and allows the user to turn them into visible processes? Is this adequate?

Rich