Sysinternals Rootkit Revealer

Discussion in 'other anti-trojan software' started by Sunnysdsr, Jul 23, 2006.

Thread Status:
Not open for further replies.
  1. Sunnysdsr

    Sunnysdsr Registered Member

    Joined:
    Feb 3, 2006
    Posts:
    36
    I just scanned my pc with the Sysinternals Rootkit Revealer and its found a few "discrepancies". Just wondering, how do I delete them.
     
    Sunnysdsr, Jul 23, 2006
    #1
  2. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    It depends what was found. How many problems were identified and, of those, how many are real rootkit malware?

    I usually try at least two rootkit scanners to make sure I don't have false positives, then I take action on what remains- either addressing the discrepancies directly, or by reformat and reinstall of Windows.

    Icesword is a good scanner and also allows you to clean many nasties too. As does F-Secure's Blacklight.
     
    trickyricky, Jul 24, 2006
    #2
  3. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Be careful! Rootkit Revealer (RR) should only really if you can interpret and understand its results. 'Discrepancies' it reports are not necessarily issues that need to be (or even should be) addressed. RR understands the raw binary format of the registry hive files, and what it does is to (a) parse the registry hives directly and (b) parse the registry using the Windows API (this is what normal apps do, incl. regedit). RR then reports any discrepancies between the two. This can lead to discrepancies for at least the following reasons:

    - Any changes made to the registry between the two scans will become 'discrepancies'. It is common that legitimate registry updates will take place between the two scans, and so they need to be filtered out before fixing.

    - Some applications use unusual techniques for copy protection which can lead RR to report discrepancies (for instance, some apps embed zero-bytes into registry key names, or value names). If you delete the entries concerned, you might find one of your other apps no longer works.

    - Of course, some rootkits may make registry changes which RR will detect, too.

    PS: RR also scans so-called NTFS meta-files, and some security apps (and other legitimate apps) use these. Older versions of Kaspersky are an example.

    So, I would suggest you post your detailed RR logs to the "Rootkit Revealer logs" section of SysInternals' forums - they are still open as I speak), and you should receive some expert help.
     
    spm, Jul 24, 2006
    #3
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    I would also be very careful about deleting stuff if you have little knowledge about it.
    Just because it finds something doesn't mean it's malicious.

    On a side note, you could also try GMER (made by GMER here on Wilders)
    http://www.gmer.net
     
    Brian N, Jul 24, 2006
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...