Jump to content


Photo

?rootkit infection


  • Please log in to reply
13 replies to this topic

#1 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 24 October 2005 - 08:12 AM

Hello all

I have recently d/l and run SVV from

http://www.invisible....org/tools.html

Nothing specifically wrong with my winbox that I can tell but am really low level user: Point and click, follow instructions, that sort!

I was just playing around and got 2 Level 5 warnings. :gack:
Now what?

Then used Ice Sword which showed no hidden processes.

Any body know about these tools and how to interpret the results?

No positives with F-secure Blacklight beta, Rootkit revealer, UnhackMe, RKDetector.

Thanks.

#2 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 24 October 2005 - 09:26 AM

What did the warnings say? Sounds like false positives, but I don't know that software.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 chrono_trigger666

chrono_trigger666

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 10 November 2005 - 09:40 PM

Hello everyone!!

I am new here.

SVV checks the system if it has been compromised. The results it shows, however, do not classify what it detects since it doesnt really check for known signatures of malware.

U can post SVV's results here so that we can work something out regarding your problem.

#4 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 10 November 2005 - 10:37 PM

Hi CNM and chrono trigger, thanks for reply

Sorry been away for awhile and missed your reply CNM until today.

I will attach one image to this post of SVV scan showing warnings.

There is not much around to enable analysis of these warnings.

All other AV scans; normal: KAV, AVG, BD8, A2, Ewido, NAV.

Blacklight rootkit scan, UnhackMe, Rootkit revealer, RKdetector; All show nothing.

IceSword scan shows no hidden processes.
AutoRuns, ProcX, Security Task Manager and other process monitors clear AFAICT
Bootlog XP looks clear.

I will attach the IceSword SSDT results in the next post.

Identity theft and such compromise really frighten me (as I'm sure they do others)

Any help appreciated.
Really do not want to reformat and reinstall!

Regards
SGC

Attached Files



#5 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 10 November 2005 - 10:42 PM

Here is the Ice Sword SSDT scan

Regrds

Whoops too big!
will rejig and repost

Edited by SGC, 10 November 2005 - 10:43 PM.


#6 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 10 November 2005 - 10:49 PM

here is adjusted image; hope it is readable
See for "unknown" hooks

Regards

#7 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 10 November 2005 - 10:50 PM

here is adjusted image; hope it is readable
See for "unknown" hooks

Regards

Hmm not to clear.
Can any one tell me how to get it better?
Easily readable version is 164kb

Regards

Attached Files


Edited by SGC, 10 November 2005 - 10:51 PM.


#8 Avohir

Avohir

    Computer Exorcist

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,098 posts

Posted 10 November 2005 - 10:58 PM

IceSword is a very advanced tool, and I would say if you are a "low level user" then you're better not trying to use it without direction
To err is human, to really foul up requires a computer
Donate to keep the site alive

Posted Image

#9 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 10 November 2005 - 11:07 PM

No argument from me!!

I was just "testing" my system in anticipation of an "all clear" result after reading about the app here and there.

Have not attempted any fixes

Regards

#10 chrono_trigger666

chrono_trigger666

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 11 November 2005 - 01:18 AM

Hmmm...

It seems that some module has hooked into your kernel components but the module that hooked is missing or most probably hidden. Correct me if im wrong. I would appreciate feedback since I have just recently begun researching on rootkit technology.

#11 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 November 2005 - 04:48 AM

Yes, I think you are right.
But;

What exactly does that mean?

I have SSweeper set as on demand only
AVG set as on demand only (E-mail scanning disabled)
WWasher as on demand only
EWIDO and BDefender free, ie no start-up scanners
Norton GoBack is on demand only
A2 on demand
AdAware on demand

All of these have start-up scanner functions not installed, but I imagine all have reg hooks somewhere.

I get "registry change" notification from Spybot teatimer when WW launches.

Any help?

Regards

#12 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 11 November 2005 - 05:17 AM

All clear.
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#13 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 November 2005 - 07:22 AM

ok

These are no doubt going to be useful tools in due course.

Thanks Paranoid
I got your message earlier.
Will be interesting to see how these apps develop

Regards.

#14 SGC

SGC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 November 2005 - 07:23 AM

oops double post

Thanks again

Edited by SGC, 11 November 2005 - 07:24 AM.





Member of UNITE
Support SpywareInfo Forum - click the button