Rootkit Detection

Discussion in 'other security issues & news' started by cityman, Jul 25, 2005.

Thread Status:
Not open for further replies.
  1. cityman

    cityman Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    65
    recently i used Sysinternals- RootkitRevealer. it found over 45,000 discreptancies.

    it is a bit too much- i did it twice under two different circumstance. same result- many discreptancies. can anyone please advise?

    i also used F-Secure Blacklight beta and there was no rootkits found.

    i was going to use Samari also.. but still doing some research on it.

    i would use process guard but it only acts as a preventative. i was using tds3 with no problems found at all. however, since their announcement of non support- i switched to ewedo.

    --
    my thinking is: i am over my head in analyzing the 45,000+ discreptancies plus i really do not know this area. i do not have time to learn this.

    i think there might be an error in the program or something. 45,000 errors? i am extremely conscientious. i checked all my financial data and everything is the way it should be.

    i have kaspersky av, wireless zone alarm, spybot, lavasoft ad-aware, spysweeper as well as ewedo. this computer laptop is single, a non network connected and i use firefox.
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    It's because of the ADS that Kaspersky 5.0's iStreams technology uses, try Unhackme instead, it will give you a detection (if there is something), instead of lot of info where you need to know what to look for.

    Btw.Which version did you use, 1.52 didn't show those 40000+ files that previous versions of RKR did.:)
     
  3. cityman

    cityman Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    65
    thanks for the wonderful help about the Kaspersky's stream technology. much appreciated.

    i used the same version- the last version twice (which is the latest- i download it yesterday). i should have explained it more clearly. while RKR was scanning i was using many applications at the time. so when i saw the 45,000 detections.. i thought it was because the computer was "active". so the 2nd time while RKR was scanning, no programs was running. however, i still got the high detection count.

    i did use Unhackme and 4 suspected rootkits was found. it was-

    winsock - Google Desktop Search Backup Before First Install
    winsock2 - Google Desktop Search Backup Before First Install
    winsock - Google Desktop Search Backup Before Last Install
    winsock2 - Google Desktop Search Backup Before Last Install

    i have no idea if they were really rootkits but the name- Google- sort of assured me so i marked them - false positive.

    i wonder what would have happened if i would have deleted them? any idea?

    again thanks for the help and the advice.

    cm
     
Loading...
Thread Status:
Not open for further replies.