rootkitrevealer installing a service?

Discussion in 'other security issues & news' started by lynchknot, Jun 1, 2005.

Thread Status:
Not open for further replies.
  1. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I have run it several times but never have I seen it try to install a service. I have googled it and found nothing. Does anyone know what this is and is it ok? Thank you.

    MSYSVOKQT.exe

    http://img71.echo.cx/img71/3663/rootkit4tm.jpg
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Some sort of false positive? Does WinPatrol know about the file?
     
  3. reststop

    reststop Guest

    I thought RootkitRevealer 1.4 has this thing where it creates a random process whenever it runs to try to keep from being detected by a rootkit. If you run it again it should have another 'different' random process name that WinPatrol will again warn you about. WinPatrol does that for me every time. Now if you get the same process name every time, then I would be worried. It should be a different random process name every time you run RootkitRevealer.
     
  4. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Yeah ok, I had an older version and never saw these pop-ups
    http://img71.echo.cx/img71/7510/another0sc.png

    Then again it continues to error:

    http://img71.echo.cx/img71/6384/error8db.jpg
     
  5. reststop

    reststop Guest

    If I run RootkitRevealer 1.4 not only does WinPatrol warn me of a new service, but MSAS also warns me of the same thing- same random name as WP. You can see for yourself with WinPatrol. After starting RootkitRevealer 1.4 right click on the WinPatrol icon in the systray, select 'display services'. You should then see the service that WinPatrol warned you about and you'll also see that it will no longer be listed there after RootkitRevealer finishes. So the service is temporary.

    If you want WP to warn you more quickly make sure it is set to do so. I think the default setting is several minutes before it will warn you of a new service being installed.
     
  6. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Thanks guys. Now how do I fix the dump errors?
     
  7. reststop

    reststop Guest

    Not sure about that. Hopefully someone will post who knows more about it.
     
  8. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
  9. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Thanks. I guess I thought I was unique - :D - I should have searched the board!

    Anyway, those dump errors are rendering this useless I suppose. Maybe it's a rootkit conspiracy to avoid detection! :eek:
     
  10. reststop

    reststop Guest

    I don't want to scare you Lynchknot but I would ask at other forums if no on answers you here. Try http://www.dslreports.com/forum/security they have some real good rootkit experts over there. You don't even have to join at Dslreports like Wilders. Keep asking till you find out for sure because it doesn't look good to me. Like I said i'm not trying to scare you, it could be nothing, but I would do all I could to find out and fast. Also http://www.castlecops.com is pretty good too.
     
  11. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    What doesn't look good? The dump error or the fact, in my other thread, that IE was running in Outpost while not in Taskmanager - or both! BTW, after reboot - I don't see IE running anymore.

    **edit - 46 view no replies over at dsl.
     
    Last edited: Jun 1, 2005
  12. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
Loading...
Thread Status:
Not open for further replies.