Golden Hacker Defender Game Over ?

Discussion in 'other anti-trojan software' started by StevieO, Oct 11, 2005.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Boclean was flagging the older IceSword also. Kevin took a peek at it and I think it was flagged for using a peice of other hacker code. He did say they weren't doing anything bad though.

    Ah yes command line tools. That is all I knew when first using computers.
    Back in the day when we thought chkdsk compared files bit for bit.:D
    and all we had was basic programming language and batch files. Computer science was Cobol and Fortran LOL

    controler
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I'm pretty sure UNIX rootkits are still much more complex than their Windows counterparts. They have been around, like... forever...
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi Nick,

    ntoskrnl.exe locations for WinXP Pro SP2:
    C:\Windows\$NTUninstallKB890859$
    C:\Windows\system32
    C:\Windows\Driver Cache\i386
    C:\Windows\$hf_mig$\KB890859\SP2QFE

    -- Tom
     
  4. I'm a idiot. I installed about half the apps (including almost all protection software) on my box with no difference, until it hit me. Blinding obvious , once I realised what was causing the problem.

    Okay so I'm not rooted (probably).
     
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    It seems like there'll always be a cat & mouse scenario between the two sides. As if anybody hasn't got better things to do with their time. :eek:
     
  6. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    Well, well..
    Here I am stumbling around with these apps:

    Have run SVV and been given 3 DEEP RED warnings!!

    Have run Ice Sword and it shows up a couple of RED entries in the SSdt lists!

    Now What?

    Have scanned with RKDetector:Clear
    Rootkit Revealer: Clear
    UnHackMe: Clear.
    F-secure: Clear
    All AV scans clear including KAV online scan.

    Have googled unsuccessfuly to try and find out about SVV and I-S entries with no real success>

    Having fun so far but having expected a "clean" report from both, am Now wondering what I may have stepped in!

    Any help please

    Regards
     
  7. wow longbeard, it looks like you are in trouble.

    I can help you rule out if it is a false positive if you post more details. In particulalr the name of file in the SSDT section of icesword that is in red.
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi Longboard,

    It seems that more there's rootkit detectors, and more users are afraid of rootkits...

    HackerDefender is the most used in the wild.
    And UnHackMe is quite good for detection of most usual rookits (not paid ones).

    If you use IceSword, any hidden process is marked and shown in red (see the image).

    For SVV, you're really infected if the level is 5.
    3 does not mean that you're infected by a rootkit, because some legitimate programs use hook modules (AV, HIPS etc).
     

    Attached Files:

  9. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    The SSDT just shows files integrated in the Kernel.
    It's often the case for products that which work on a low-level such as ProcessGuard, AntiHook, Samurai, SandBoxie (see the image) and so on.
    It's not an indication of a rootkit infection.
     

    Attached Files:

  10. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    And if you're really infected by a rootkit and if you know the name of the hidden service, then various windows command can be used against the rootkit:
    SC DELETE, NET STOP and so on...

    Regards
     

    Attached Files:

  11. da3256

    da3256 Guest

    Yes, sadly we are all not as knowledgable as you.

    I got a warning level 4 which is RED. Supposedly the system is most probably infected, because the module file causing this is hidden. Turned out it was caused by Dameon tools, the very same entry that appears in rootkit revealer. So in my book this isn't a false positive. After removing that, I got a warning level 2.

    Longbeard does seem to be screwed, since SVV gives him a warning level 5 which is Deepred.

    His icesword results look clean though. It's showing processguard and Kerio 4 hooking.
     
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    OK guys

    Lets see what I've got:eek:

    Ice Sword process monitor shows nothing hidden.

    See attached for SSdt monitor and SVV Level 5 detection.

    SVV image had to be uploaded separately

    Regards
    (with breath held)
     

    Attached Files:

  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    Here is the SVV screen.

    Note the first time I ran SVV I got two Deep Reds and three Level 2 detections.

    ?FPs

    Regards
    (still holding breath)
     

    Attached Files:

  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    OOps
    just ran the module checker

    See attached for results.

    If it makes any difference I am working off a restored Ghost image at the moment

    Regards
    (getting very blue in the face)
     

    Attached Files:

  15. controler

    controler Guest

    Long board?

    are you using Anti-Keylogger? That will show as an unknown in IceSword.
    Have you tried dropping to command prompt and typing DIR/S and saving that to a text file. Then booting from a BartPE CD and doing another DIR/S and saving that to a txt file, then using a file compare program to compare those two txt files?

    kareldjag? doesn't the SSDT also show drivers besides programs?

    controler
     
  16. Tom772

    Tom772 Guest

    HI guys, sorry to hijack this thread but while i was trying to use SVV, i got this error similar to nicks-->

    C:\svv>svv check /a
    Following important modules cannot be found:
    ntoskrnl.exe

    ERROR (code = 0x2): Important modules not found

    I was wondering is there away to fix this error and get the program to work on my comp? i would be really greatful for any help,

    Reagards Tom
     
  17. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    Controler:
    LOL
    Thankyou for your suggestions

    I am not even sure what language you are using!
    Humble home user here
    Point and click and a little extra.
    I ran the SVV using your point by point instructions for cmd line in the other thread.

    I was hoping some one might be able to interpret the scan findings!!
    I will probably try Windiff. Only problem will be whether I can understand that!

    Well out of depth here:eek:

    ? will SVV +/- IS become the new HJT?
    Us newbs better steer clear for a while.

    Regards
     
  18. controler

    controler Guest

    Tom ? did you get that error the first time you run SVV or on a second try?
    I found on my VM machine, I can only run it once and then I have to reboot to run it again.

    Longboard?

    I think the not too distant future rootkit detectors will use a boot disk as part of
    the detection and removal. There is some interesting things in the works ;)

    I think detection is important but believe prevention is the real way to go.

    Unless a programmer can assure the home user that the rootkit was cleaned and there is no stability problems after, I think the only way to go right now is to reformat. Microsoft's Mike Danseglio, explains why in his presentation webcast.
    If you look at old threads here on rootkits, some of us posters were shunned for speaking of them, saying oh they do not exist that much in the wild ect.
    Now they ARE being used by adware,spyware ect companies which IS big buisness and some some script kiddy in his room after school. We were accused of ascre mongering.
    Even back before that I not only preached reformating but also said I usualy reflash my BIOS at the same time.
    If you watch Mike's webcast, you will see he talks about the rootkits that hide in RAM such as a video card. In this case you would have to reflash your video card memory also before format.
    Mike tells of all the support calls Microsoft gets each week from IT people that are infected with a rootkit. His advice to them is to nuke the hard drive
    and explains why.

    For those that have not watched the webcast, I highly suggest it and also should read an article by Jamie.
    http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

    http://www.phrack.org/show.php?p=63&a=8

    controler
     
  19. Tom772

    Tom772 Guest

    Hi controler, The first time i tried to run SVV I got that error, so i tried it again and the same thing happened. I then put it in system32 folder then ran it and got a error that said it couldn't load a driver, so not sure what to do! If you have any suggestions, im running XP Pro/Home SP2

    Regards Tom
     
  20. controler

    controler Guest

    Tom

    You could try running it from your desktop. Maybe the program is not ment to run from the C:/ root DIR.

    Give it a try and also are you running other security software at the same time such as PG ect?

    controler
     
  21. controler

    controler Guest

    AS Da mentioned Johanna doesn't seem to care to much about Wilders or she would post I would think. Guess she has her special little spot on the net where she only posts.

    controler
     
  22. Tom772

    Tom772 Guest

    Thanks controller, didnt think about PG> I will give it a try, i pretty sure im clean but i was interested in trying it out and seeing what it showed. Thank you very much for your help,

    T
     
  23. Tom772

    Tom772 Guest

    Hi controller, i disable PG and this is what i got;

    C:\>svv check /a
    ntoskrnl.exe (804d7000 - 806eb100)... Null.SYS (f9b2f000 - f
    9b30000)... error code = 0x490
    mnmdd.SYS (f9a50000 - f9a52000)... error code = 0x490
    RDPCDD.sys (f9a52000 - f9a54000)... error code = 0x490
    dump_atapi.sys (f46b0000 - f46c8000)... Image file not found!
    dump_WMILIB.SYS (f9a84000 - f9a86000)... Image file not found!

    SYSTEM INFECTION LEVEL: 2
    0 - BLUE
    1 - GREEN
    --> 2 - YELLOW
    3 - ORANGE
    4 - RED
    5 - DEEPRED
    Nothing suspected was detected.

    Regards T
     
  24. Pretty typical really. The really skilled people seldom want to waste their time posting in the backwaters of a mere 'user forum', unless there is some commercial interest at play.
     
  25. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    Just wondering...
    Did anybody get achance to look at the results of my IS and SVV scans?

    Any comments?

    Regards
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.