sophos rootkit false positive or not?

hi ive recently been doing a root kit scan, with the blacklight f-secure software, which ive found to be pretty good. But to check it against some of the other alternative software out there i decided to try a comparison test with the sophos rootkit scanner. Initially i didnt pick up any anomoly's, but intimitant scans have revealed 8 hidden registry values. They are marked as 'not removable'....which i found bizarre!....and im not clear as to whether these are false positives, and therefore safe to delete when i enter the registry. wonder if anyone here has had a similar problem.

I post them here for your perusal.

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\Parameters\Tcpip\DhcpDefaultGateway
Removable: No
Notes: (type 7, length 26) "IP ADDRESS "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\Parameters\Tcpip\DhcpSubnetMaskOpt
Removable: No
Notes: (type 7, length 30) "SUBNET VALUE "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpNameServer
Removable: No
Notes: (type 1, length 40) "IP ADDRESS "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpDefaultGateway
Removable: No
Notes: (type 7, length 26) "IP ADDRESS "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpDefaultGateway
Removable: No
Notes: (type 7, length 26) "IP ADDRESS "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpRetryStatus
Removable: No
Notes: DWORD 0x0 = 0

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
Removable: No
Notes: (type 1, length 40) "IP ADDRESS "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
\{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpRetryTime
Removable: No
Notes: DWORD 0xc20f = 49679



Ive deleted the subnet and and ip paths for obvious reasons in the notes sections,replacing with the appropriate title, but needless to say they are mentioned in there in the log.

 

am i being a munter?.....why hasnt anyone answered?.....is it my ignorance? :-/

 

100% No rootkit !


StevieO

 

That's no Rootkit.
I advice allways to check the results with a second Rootkit detector like IceSword.

 

thanks guys!....wanted to check!, and i concur with you tommy!, i always double check, hence the comparison test with the F-secure blacklight.

I have to assume it was a false positive, and that it was worth mentioning on here for anyone else who might have had the same problem and been tempted to dive into a catastrophic intervention.

quick question: do you find IceSword more comprehensive than the sophos or Blacklight?.....i have to say so far ive been very impressed with the F-Secure.

 

Let's say it this way.
In the opinion of the so called experts Blacklight and IceSword are the best and very dificult to bypass for Rootkits. IceSword is an advanced tool and very sufisticated. I use both and they never failed me, but i nevver had Rootkits on my machines. Lucky me

 

Hi Tommy, what so called experts would these be out of interest ?

There are various rootkit detectors that are now available, including Blacklight and IceSword, some much better than others at different things for various reasons. It might surprise some people to find out that most of them are actually not difficult to bypass.

One that's not so widely known is RKU that is being constantly worked on, refined and updated. So far it's proven to be the most resistant to bypass on real world rootkits and also test rootkits. A brand new version is expected very soon with even more features and capabilities.

Please take a look in this thread for more details and info http://forum.sysinternals.com/forum_posts.asp?TID=7003&PN=1 Also on that site you will find other hopefully useful ifo as well.


StevieO

 

Regarding to the 'socalled experts' i just wanted to make fire in this thread

I tested Rootkit Unhooker a while ago, it crashed my system and also the latest reviews on CastleCops board regarding the actial build are not quiet good.

Edit:
Just tested RKu 2.0.22. Seams to run stable, i will keep an eye on that one.