odreian615
join:2006-01-18
Chicago, IL | reply to daveinpoway
Re: One in Five PC's Infected With Rootkits
I use AVG Anti-Rootkit free
»www.grisoft.com/doc/products-avg···1.1.0.42
works just fine IMO |
|
luddite
join:2001-09-09
Allen, TX
| reply to ZZZZZZZ
said by ZZZZZZZ  :..........a popup says that there is a malicious entry in the hosts file and that it can't start until it's deleted and then it gives you a choice to delete it,but doesn't show you the actual entry? Just ran this and encountered the same thing. It deleted everything in my HOSTS file and left a single line:
127.0.0.1 localhost
It didn't find any infections scanning it with my original HOSTS file in place or it's 'improved' version of the same. |
|
tomnvik
Tom G
join:2000-10-26
South Elgin, IL
| reply to daveinpoway
Nothing here. |
|
ctrlaltdelet
join:2006-08-19
 ·Ziggo
| reply to daveinpoway
»www.prweb.com/releases/rootkits/···6142.htm
.....The result of these changes has been an increase in the number of PCs seen to have one or more active spyware, malware or rootkit programs running on them - from 15.6 percent or 1 in 6 during October 2007, to 22 percent or more than 1 in 5 today...... |
|
pog
Premium
join:2004-06-03
Kihei, HI
 ·Hawaiian Telcom
| Add my PC to their list of infected:
As I am fairly certain this is a false positive, I wonder just how inflated Prevx's numbers are over all.
--
My Site |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to daveinpoway
said by daveinpoway :Remember that infection statistics from those of us in the know does not give the true picture, since many more PC's are owned by John and Jill (Clueless) Public. Given the fog in which many of these users operate, I have no doubt that many of their systems (quite possibly considerably more than 20%) have some sort of infection(s), and these folks would have no way of knowing what sort of "guests" have hitched a ride inside of their Windows installation, nor would they understand how to evict the "guests", even if they knew they were present. The so-called "news story" didn't say a word about '20% of all clueless user computers', that I saw. |
|
lefty1
join:2002-10-25
Clay, NY
| reply to Qwerky
Anyway, is SysInternals RootkitRevealer sufficient, or should one be using more/different tools? While running SystInternals RootkitRevealer, it stops every minute or so and gives me an error message about only having partial compatibility with Vista. Now why am I not surprised by that? |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to fatdcuk
Hmmmm very interesting.
Was Prevx installed prior to the infections?
I installed my Rustock.B sample, confirmed the infection with RkU, then installed Prevx, updated it, and did a full system scan. I believe this was back in maybe August?
Prevx found NOTHING. I later tested it with Unreal.A as well, and got the same results.
I've spoken with a few of higher ups @ Prevx (like the guys who run their blog) and last I heard, their improved rootkit detection module was still in alpha stages.
--
QUAD!!!! |
|
AB
Premium
join:2006-04-04
Leesburg, VA
1 edit | reply to lefty1
said by lefty1 :While running SystInternals RootkitRevealer, it stops every minute or so and gives me an error message about only having partial compatibility with Vista. Now why am I not surprised by that? The most recent version of RR seems to have been released on 11/1/2006-- prior to Vista.
Likely why.
*Edit- sp |
|
spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
1 edit | reply to whocares
»www.prevx.com/ (Chose the "Free PC Check Now" button on that page).
If you DON'T want it to install and run resident in SYSTRAY, make sure you DECLINE that choice when it's offered. Pete |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | reply to Elite
They were from my zoo collection.PrevX CSI was installed/run after they were native and yep the results surprised me too 
*I will post some support data/screenshots etc tomorrow when i have more time hopefully
But still FWIW i have samples in the zoo such as Nulprot,TR-inject(Allinone)that bypass this tool and have other samples that bypass Kaspersky7 series the last time i tested it.
So i still put may faith in forensic tools and slaving drives  |
|
Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
Just checked out the new version of CSI, looks like rootkit detection has been improved quite a bit.
Too bad my Rustock.B sample won't run on my quad core.
--
QUAD!!!! |
|
clocks11
join:2002-05-06
00000
| reply to odreian615
I use this also, but they have not updated this thing in a long time. |
|
OZO
Premium
join:2003-01-17
| reply to daveinpoway
Guys, have you noticed that Prevx sends a lot (and I mean, a lot) of encrypted data to one of its servers. Its done during the scan via multiple POST commands.
What it sends?
Is it only me?
--
Keep it simple, it'll become complex by itself... |
|
ctrlaltdelet
join:2006-08-19
·Ziggo
| »info.prevx.com/csihelp.asp
"When Prevx CSI scans your PC it builds a mini-database of forensic data for each file it wishes to check. This data is then sent to our Prevx Automated Malware Research Center where it is thoroughly checked and analyzed by our massively powerful servers. Because we are performing a very extensive analysis on our servers, we take most of the load off of your PC. The result is a scan that is fast, always up to date and much more effective than conventional approaches." |
|
jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
3 edits | reply to daveinpoway
"This data is then sent to our Prevx Automated Malware Research Center where it is thoroughly checked and analyzed by our massively powerful servers".
Wow!
Had I known they had "massively powerful servers", I might have been tempted to try this a long time ago.
Now that's impressive!
--
I had a life once.....now I have a Computer and a Modem. |
|
Sindows 7
join:2006-09-13
Hope, BC | reply to daveinpoway
|
|
Portmonkey
scurvy
Premium
join:2004-04-09
Southern IL
| reply to daveinpoway
McAfee's Virus Scan Plus claims that it "detects and kills rootkits and other malicious applications that hide from Windows and other anti-virus programs", and it works with Vista. When I was still using XP, I switched back and forth between a few different rootkit scanners, but now I'm hoping McAfee has that area covered.
--
Ninja of the Nasty |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to fatdcuk
said by fatdcuk :But still FWIW i have samples in the zoo such as Nulprot,TR-inject(Allinone)that bypass this tool and have other samples that bypass Kaspersky7 series the last time i tested it. Here, KIS, with settings maxed and using the specific "rootkit" scan .. zip found. It's never even generated a message of any kind, false positive, nothing.
Blackbird said it, "Granted, not all folks at all points are looking for rootkits with equal skill or focus - if at all." Exactly. And, in the whole malware arena, this stealth payload delivery technique is the single thing leaving me unsasafied .. am I "really" sure I'm clean?
I've tried RootkitRevealer and, uh .. it's output, for me, cannot be called user friendly.
I've tried PREVXCSI and, for whatever reason, it wasn't happy on my system. It was early with it, maybe it would be happier now. I might re-try this.
Based on Elite's, "but that's a bit too advanced for some" qualification of RkU .. I damn sure got no business messing with it.
So, I'm still looking for additional anti-rootkit tool(s) I can wear/depend upon .. increase my sasafaction.
What is thought of F-Secure's Blacklight?
Are AVG's and McAfee's tools, already mentioned here, considered strong??
Any others?
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
Bubba17
Less is More
Premium
join:2006-09-21
1 edit | And, another thing .. a google of "anti rootkit" brings up lot's of offerings, including one's that, for all I know, might be rootkits masquerading as anti.
Like "GMER", which includes the blurb, "all your rootkits are belong to us". Uh huh, ok, sure they do.
Like "DarkSpy", which mentions China numerous places. I'm currently unhappy with China. Is this a trusted anti?
Just for instance.
edit: spelling |
|
