One in Five PC's Infected With Rootkits in Security http://www.dslreports.com/forum/r19621162 en Fri, 27 Nov 2009 05:43:19 EDT Fri, 27 Nov 2009 05:43:19 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19673482 foxsteve : Sorry, I do not understand your message. Is it recommendation for me or you need copy of this kind of file?

Edit. At each start of gmer.exe, WindowsUpdate.log is increased on 1210 bytes. I would like to ask, how GMER is related to WindowsUpdate.log? ]]> http://www.dslreports.com/forum/remark,19673482 Sun, 23 Dec 2007 04:51:13 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19673449 gmer : @foxsteve

Please do not change anything on "Setting Tab" - it's not necessary to detect rootkits !

Just press "Scan" on Rootkit tab and when it ends use "Copy" or "Save..." button to save content as a text file. ]]> http://www.dslreports.com/forum/remark,19673449 Sun, 23 Dec 2007 04:16:30 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19673405 foxsteve : Thank you for your answer.
I have repeated test your program at unticked "Sections" option. Program was not collapsed as before at strange address 0x72013668, but I did not get any gmer.log file, although gmer.ini file was edited
I hope my testing may help you in development of your important anti-rootkit program. ]]> http://www.dslreports.com/forum/remark,19673405 Sun, 23 Dec 2007 03:40:00 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19664262 gmer : Hi Foxsteve, hi everyone

I see that new BETA of GMER doesn't work correctly on your machine . It's probably a bug in sections scan so I need to check this part of code .

If you would like to scan your computer with this version I can only suggest to untick "Sections" option on "Rootkit" tab and rescan again. I hope it helps.

@fcukdat
Thank you for keeping me informed .

Regards]]> http://www.dslreports.com/forum/remark,19664262 Fri, 21 Dec 2007 13:21:46 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19664237 fatdcuk : Hi,

Well The Beta version has been stable for my research setup both in clean mode and hosed but that dose not mean that it will be stable on all setup's.

Still this tool is in Beta testing phase which is not a final release and i have relayed your bug report to the software author(GMER):)]]> http://www.dslreports.com/forum/remark,19664237 Fri, 21 Dec 2007 13:17:12 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19662209 foxsteve : I followed your recommendation and downloaded gmer.exe file (753,664 bytes) from that link »www2.gmer.net/beta/, then started that file and press "Scan". For security I tested that file under monitoring. Here is result.

On the first step program created 5 files:
C:\Wimdows\gmer.exe (753664 bytes)
C:\Windows\gmer.dll (811008 bytes)
C:\Windows\gmer.ini (250 bytes)
C:\Windows\gmer_uninstall.cmd (80 bytes)
C:\Windows\system32\drivers\gmer.sys (85073 bytes)
and series of keys in the next Registry directories:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GMER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gmer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GMER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer

On the second step program started scanning my system, but at scanning C:\Windows\system32\drivers\FILEM.SYS file, stopped with message as on the attached picture.

I pressed "OK" and program collapsed without any C:\Windows\gmer.log file.

What is your next recommendation?

PS. Here are codes gmer.ini and gmer_uninstall.cmd files

gmer.ini

gmer_uninstall.cmd
Click for full size
]]> http://www.dslreports.com/forum/remark,19662209 Fri, 21 Dec 2007 02:57:10 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19661032 AB :
said by Bubba17 See Profile :

said by AB See Profile :

I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile.
Whew! Close one!
You found something?
Nope. Not a thing.

This is why I'm in that 'other percentile'. :)]]> http://www.dslreports.com/forum/remark,19661032 Thu, 20 Dec 2007 22:20:02 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19660986 Bubba17 :
said by AB See Profile :

I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile.
Whew! Close one!
You found something? And, successfully eradicated it?

You used RkU? Did you try GMER?
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+

"Fast is fine, but accuracy is everything" --Wyatt Earp]]> http://www.dslreports.com/forum/remark,19660986 Thu, 20 Dec 2007 22:11:53 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19659255 AB :
said by Bubba17 See Profile :

Notice ... I didn't announce I was clean. :)
Yes, I notice that.
Well, allow me to announce-- my machine is clean!
Yeah, baby! Yee-haaa!

I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile.
Whew! Close one!

Thanks, gents! :)]]> http://www.dslreports.com/forum/remark,19659255 Thu, 20 Dec 2007 16:57:09 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19659193 fatdcuk :
said by foxsteve See Profile :

Ok, thank you very much!
What do you know about new development with RkU?
As far as i am aware RKU is no longer under public developement.As an ARK forensic tool it is becoming less effective than it once was.This has been highlighted by some of the recent ITW RK malware.IRC the latest DNS changer trojan RK is not detected by RKU nor is Nulprot so that is 2 for definite that the tool is confirmed as blind too but they will almost certainly be more out there ITW.

FWIW if ARK tools are not in constant state of developement like the rootkit malwares they are targeting then they are losing ground on effectiveness.The battle is ongoing between mal writers and the defenders,alas the defenders will always be playing catchup.

IMHO GMER has now superceded RKU as forensic tool as the best available samedrive tool.It has incorperated the best of IceSword and RKU functionability with a few added extra's thrown in.The problem then arises then with *ease of use/data returned* which is where GMER will fall down for most folks.

That said dose new GMER see them all....well there is a very high probability not,the battle still goes on!]]> http://www.dslreports.com/forum/remark,19659193 Thu, 20 Dec 2007 16:46:51 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19658390 foxsteve : Ok, thank you very much!
What do you know about new development with RkU?]]> http://www.dslreports.com/forum/remark,19658390 Thu, 20 Dec 2007 14:33:26 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19657553 Elite : Your machine is clean then.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19657553 Thu, 20 Dec 2007 12:22:30 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19656180 fatdcuk : N/M]]> http://www.dslreports.com/forum/remark,19656180 Thu, 20 Dec 2007 07:56:28 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19655770 foxsteve : According to Report, RkU did not find hidden processes, drivers or files.]]> http://www.dslreports.com/forum/remark,19655770 Thu, 20 Dec 2007 03:17:07 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19655642 Elite : Code hook is just Windows kernel splicing. No need to be alarmed.

As for SSDT, this could very well be Symantec hooking your SSDT.

Any hidden process, drivers, or files?
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19655642 Thu, 20 Dec 2007 02:19:59 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19655623 foxsteve : How to clean system if
- services are hooked by "Unknown module filename" and
- ntoskrnl.exe is hooked "Inline - Relative Jump"?
]]> http://www.dslreports.com/forum/remark,19655623 Thu, 20 Dec 2007 02:11:11 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19653779 SipSizzurp :
said by Elite See Profile :

Probably a bunch of stupid mutexes to prevent deletion.
That's what I had figured since the file count was transient. I delivered it back into operation. The secretary was very delighted with the repair, and I am very delighted with my nice new shiny nuclear bomb ! Thanks again ! ]]> http://www.dslreports.com/forum/remark,19653779 Wed, 19 Dec 2007 20:18:35 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19652891 anon : Thanks for the continued tests. It pretty much reinforces what I was already assuming to be the case, just nice to have some third party confirmation. :D]]> http://www.dslreports.com/forum/remark,19652891 Wed, 19 Dec 2007 17:47:54 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19652609 fatdcuk : Here the next pair of ARK's tested versus the test malware rootkits.

Mcafee Rootkit Detective 1.1

Testset 1= 3/5*
*Both Rustock B and Runtime2 were flagged by their hidden registry values.Runtime 2 SSDT hooks also seen.

Blind to Srizbi and Nulprot.



Testset2= 3/4*

*Rustock A only caught by hidden registry data.

Blind to Allinone.



F-Secure Blacklight Rootkit Eliminator

Testset1=3/5

Blind to Rustock B and Nulprot.



Testset2= 3/4

Blind to Rustock A

]]> http://www.dslreports.com/forum/remark,19652609 Wed, 19 Dec 2007 16:55:38 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19652085 Elite : Probably a bunch of stupid mutexes to prevent deletion.

Can't name any malware that can hold it's own against RkU though...

As long as there are no more hidden processes, hidden files, or SSDT hooks, the machine should be clean minus all the files it dumped on disk and all the crap it put in the registry.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19652085 Wed, 19 Dec 2007 15:32:44 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19650928 fatdcuk : Here is the GMER 1.0.14 Beta link>>>
»www2.gmer.net/beta/

I've been using the Beta version for around 4 weeks now and can safely say it is more stable for my setup and has gained some more functionability over the previous version:)]]> http://www.dslreports.com/forum/remark,19650928 Wed, 19 Dec 2007 12:27:39 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19650785 Bubba17 : Well, based on the test results you've shared (again, thanks), I obtained GMER 1.0.13 (wasn't able to obtain your beta version) and it's not finding anything.

Notice ... I didn't announce I was clean. :)]]> http://www.dslreports.com/forum/remark,19650785 Wed, 19 Dec 2007 12:03:01 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649374 SipSizzurp : We kicked the sumbitche's ass. It was so brutal ! I'm all excited now. There are no more hooked processes or hidden files. The registry was loaded with about 80 entries. In addition to mssync20.* files, there were also mssync2020* files.
»www.sophos.com/security/analyses···clz.html

I still cannot start in safe mode even after running SFC. Maybe there is some other stuff still in here. I'll give sophos security program a run and see if it can find the rest of what Exaspery was so oblivious to. You saved me and the customer a huge amount of work ! Thank you ! You have a very appropriate screen name Mr. Elite !

Edit - I forgot to mention that it found and deleted only 8 files, not the 12 that had been found on earlier scans. My initial scan with AVG only found 5 files. After I tried to delete them then the beast generated the additional 7.]]> http://www.dslreports.com/forum/remark,19649374 Wed, 19 Dec 2007 04:55:46 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649275 Elite : P.S. This rootkit has a keylogger payload.

Change all your passwords after we yank it.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19649275 Wed, 19 Dec 2007 03:22:27 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649258 Elite : This is going to be really easy...

Go to the "Processes" tab in RkU.

Find "mssync20.exe".

Right click, "Kill Process".

Click the scan button in the "Processes" tab again. If the process came back, use "Force Kill" instead.

Go to the "Files" tab. Scan, it'll find 12 hidden files.

For each of the 12 files, right click and "Wipe File".

Reboot, re-open RkU and post another log.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19649258 Wed, 19 Dec 2007 03:13:47 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649244 SipSizzurp : OK, SSDT finds 8 hooked instances of "Big Worm". File scan finds 12 files. There are no VM found. I found no option to delete the infected files. If I un-hook what SSDT detected, then the file scanner finds no files. Sorry for posting these long reports. I'll start reading the manual to see what else I can find out.

SSDT ;

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
NtCreateFile
Actual Address 0xBAD48B8E
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtCreateKey
Actual Address 0xBAD48D48
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtEnumerateKey
Actual Address 0xBAD48C3A
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtEnumerateValueKey
Actual Address 0xBAD48CC4
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtOpenFile
Actual Address 0xBAD48BEC
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtOpenKey
Actual Address 0xBAD48D9A
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtQueryDirectoryFile
Actual Address 0xBAD48A82
Hooked by: C:\WINDOWS\system32\mssync20.sys

NtQuerySystemInformation
Actual Address 0xBAD48DDE
Hooked by: C:\WINDOWS\system32\mssync20.sys

Files ;

Suspect File: C:\Documents and Settings\Cindy\Local Settings\Temp\mssync20.tlb Status: Hidden

Suspect File: C:\mssync20.ex_ Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.dl$ Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.dll Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.dl_ Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.exe Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.sy$ Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.sys Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.sy_ Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.tl$ Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.tlb Status: Hidden

Suspect File: C:\WINDOWS\system32\mssync20.tl_ Status: Hidden

Code Hooks ;

ntkrnlpa.exe+0x00069C2A, Type: Inline - RelativeJump at address 0x80540C2A hook handler located in [ntkrnlpa.exe]

Processes ;
(I'm only posting the hidden one)

!!!!!!!!!!!Hidden process: C:\WINDOWS\system32\mssync20.exe
Process Id: 2008
EPROCESS Address: 0x849CB4F0]]> http://www.dslreports.com/forum/remark,19649244 Wed, 19 Dec 2007 03:04:35 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649044 SipSizzurp : Thanks a million. The download is crawling very slow. I'll let you know how it goes :)

Edit - I found a fast download site with lots of mirrors.
»www.onlinedown.com/detail/12679.htm

With this MD5

ac348df64baf41dd219234b746242bf5]]> http://www.dslreports.com/forum/remark,19649044 Wed, 19 Dec 2007 01:30:25 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649036 Elite : Yeah, their site went down.

»zj.newhua.com/down/RkU3.7.300.509.zip
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19649036 Wed, 19 Dec 2007 01:25:38 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19649016 SipSizzurp :
said by Elite See Profile :

Get RkU, erase process VM, wipe all hidden files, reboot.
I've been Googling for it for half an hour. All I seem to find is a russian site with a 404 error where the file link should be.]]> http://www.dslreports.com/forum/remark,19649016 Wed, 19 Dec 2007 01:21:22 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19648942 Elite : I'm not familiar with that particular infection, but it looks weak.

Get RkU, erase process VM, wipe all hidden files, reboot.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19648942 Wed, 19 Dec 2007 00:52:45 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19648915 SipSizzurp :
said by youveshutmedown :

Which is why it would be nice to have a back-to-back real world comparison. :D
I picked up a sick one yesterday. I have not had many kits lately, so I'm not up to date on the newest tools. This PC became infected while using Exaspery 7 with web and e-mail scan set to delete anything bad with out asking. It got kitted anyway, and then Exaspery finds the root kit infection and said to scan in safe mode to repair. Safe mode gets up to about 10 files while loading and the pc reboots. I downloaded AVG antikit and Blacklight. AVG deletes all infected files, and then they all come back immediately, with even more files. Blacklight did not find as many files as AVG, but has the same results. This previx program found 1 file and wanted a license key to fix it. Here are some screenies. I'm gonna try some of the other tools mentioned here, and am open for suggestions other than DBAN (which I think is coming soon, oh, and Exaspery is gone now too ! ) :D
Click for full size
Click for full size
]]> http://www.dslreports.com/forum/remark,19648915 Wed, 19 Dec 2007 00:44:41 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19645277 Elite : NOD32 has poor rootkit detection. Limited to usermode at most.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19645277 Tue, 18 Dec 2007 15:00:23 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19645158 spy1 : RKR - IceSword - BlackLight (although I admit that with IceSword, a bad result would have to jump off the screen and bitchslap me before I'd recognize it for what it was...).

I would think that my AV (NOD32) would also be doing its' very best to prevent me from ever getting root-kitted to start with, but as far as detection of a pre-existing one....I really don't know. Pete]]> http://www.dslreports.com/forum/remark,19645158 Tue, 18 Dec 2007 14:39:13 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19645042 fatdcuk : Oh brother is this going to be a bag of fun :)

Both Rootkit Revealer and Blacklight BSoD'ed when executed versus testbed 1.Gees i had been spoilt so far for lack of fatals on Sunday :)

This will take longer then first planned as I now have to break the test group down into individual RK's versus software/scantimes if BSoD's occur :(

For the test's sake BSoD's don't count as positive detections.]]> http://www.dslreports.com/forum/remark,19645042 Tue, 18 Dec 2007 14:16:37 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19644872 anon :
said by Elite See Profile :

Oh poor F-Secure...

I don't think the results are going to be that great. LOL.
Which is why it would be nice to have a back-to-back real world comparison. :D]]> http://www.dslreports.com/forum/remark,19644872 Tue, 18 Dec 2007 13:47:35 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19644732 Elite : Oh poor F-Secure...

I don't think the results are going to be that great. LOL.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19644732 Tue, 18 Dec 2007 13:26:30 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19644692 anon : Just for kicks and giggles, how does F-Secure's blacklight app perform against your zoo?

You can grab it here:

»www.f-secure.com/security_center/

Download link near the bottom]]> http://www.dslreports.com/forum/remark,19644692 Tue, 18 Dec 2007 13:21:24 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19644684 dadkins : The Prevx linked in this thread...
AVG AR
Blacklight
McAfee AR
RKR
Sophos AR

... just for starters.
It's an odd hobby of mine. :hmm:
--
Think outside the Fox... Opera]]> http://www.dslreports.com/forum/remark,19644684 Tue, 18 Dec 2007 13:20:14 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19644611 fatdcuk :
I'm clean. :D
Ok i have a question to folks that have as like above for example posted that they are all clean....

There is very high odds you are not infected with malware rootkit(s) but what i would like to know based on all these all clean posts is what tools or methods you have used to confirm this to be the case beyond doubt ?

BTW if anyone would like to have their chosen ARK tools(same drive) versus my Zoo collection i would be happy to return data as long as it dose'nt cost me for the priviledge :)]]> http://www.dslreports.com/forum/remark,19644611 Tue, 18 Dec 2007 13:07:37 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19636891 Theomega : Thanks for making me aware of this. I'm clean. :D]]> http://www.dslreports.com/forum/remark,19636891 Mon, 17 Dec 2007 08:54:34 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19633744 Bubba17 : Thanks, swhx7 (and to you fcukdat and Elite also!)

Very much appreciate you all.]]> http://www.dslreports.com/forum/remark,19633744 Sun, 16 Dec 2007 15:00:20 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19633440 swhx7 : Although you were replying to someone else...

said by Bubba17 See Profile :

Obviously, too, there must be something inherently difficult associated with anti that I don't understand, else, I would think, some security company would have already created "the" (if not one of "the") program(s) that could reliably, definitively, perform anti while being "user friendly".

Some of them are very good. The problem is that malware authors - and especially rootkit authors - are constantly coming up with new techniques. Among other things, they examine all the detection software and code specifically to evade them.

So you always have to have the latest, and it still may not be enough. What's more important is not allowing the opportunity for infection in the first place.

User-friendliness is a different issue.

said by Bubba17 See Profile :

As for "really need to know what you're looking for" ... do you have a couple of links you might share where one could attempt rootkit self education, for dummies, like myself? Or, is knowing what to look for beyond the average users ability?
»en.wikipedia.org/wiki/Rootkit has general info. rootkit.com is an in-depth source, but you have to be a programmer to follow much of it.]]> http://www.dslreports.com/forum/remark,19633440 Sun, 16 Dec 2007 13:59:14 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19633146 fatdcuk : Sorry for the delay folks but as promised yesterday here is are the screenshots/data returned from testing some of the tools mentioned in this thread versus samples from my Zoo collection.

All RK malwares used have been harvested from in the wild infections over the last 18months and there are no proof-of-concept RK's used.These are live malware rootkits ;)

Testbed1(loaded malware RK's)
1)Rustock B (huy32.sys)
2)Nulprot (asc3550.sys+asc3550p.sys)*
3)Haxdoor (ntio256.sys+protector.exe)
4)Srizbi (Eyvw95.sys)
5)Cutwail/Bulknet (Runtime2.sys)**

*Imports a secondary infection from the WWW that is not hidden.
**Drops other files after installation that are not hidden.

Prev-X CSI= 4/5 Is blind to Nulprot.



AVG AntiRootKit= 4/5 Is blind to Nulprot.


RKU= 4/5 Is blind to Nulprot.


GMER 1.0.14 Beta= 5/5 :D


Nulprot VT upload today>>>
»www.virustotal.com/resultado.htm···7b697495

Testbed2(loaded malware RK's)
1)Rustock A (lzx32.sys)
2)Wincom32 (Wincom32.sys)
3)TR.inject/allinone(VideoAti0.sys+dll+exe)
4)Haxdoor.sm(Pasksa.dll+p81eskse.sys)

Prev X CSI= 3/4 Blind to Allinone


AVG AntiRootKit= 4/4


RKU =4/4


GMER 1.0.14Beta= 4/4


TR.Inject/Allinone VT report today>>>
»www.virustotal.com/resultado.htm···f327bde6
]]> http://www.dslreports.com/forum/remark,19633146 Sun, 16 Dec 2007 13:07:32 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632875 Elite : Well, they're really not as bad as I've probably made them sound.

For example, RkU is broken down into different tabs (SSDT hooks, Shadow SSDT hooks, ect). It's also got a pretty good manual as well, for help in understanding what everything does.

I'd say grab RkU and play with it (google for RkU 3.7.300.509) As long as you don't unhook anything, you shouldn't BSOD the machine. You can post any questions you have or just PM me.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19632875 Sun, 16 Dec 2007 12:14:31 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632850 Bubba17 :
said by Elite See Profile :

GMER and DarkSpy are both very reputable anti-rootkits.

IceSword is also very good.

However, none of these 3 anti-rootkits are very user-friendly. As with RkU, you really need to know what you're looking for.
Ok. But, you recognize the problem though (sigh).

As for "really need to know what you're looking for" ... do you have a couple of links you might share where one could attempt rootkit self education, for dummies, like myself? Or, is knowing what to look for beyond the average users ability?

Obviously, too, there must be something inherently difficult associated with anti that I don't understand, else, I would think, some security company would have already created "the" (if not one of "the") program(s) that could reliably, definitively, perform anti while being "user friendly".

I'd certainly purchase such a program.
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+

"Fast is fine, but accuracy is everything" --Wyatt Earp]]> http://www.dslreports.com/forum/remark,19632850 Sun, 16 Dec 2007 12:09:13 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632560 IBK : last time i was going to test prevx i fortunatly found out what data was submitted and how it was going to be used, and stopped immediatly testing it. Here an example of a scan of a (corrupted) adware sample i let scan half year ago for demo purpose:
»info.prevx.com/aboutprogramtext.···b57b46e1
as more users use prevx csi, as better it is for the prevx database. but i am not going to contribute to the database.]]> http://www.dslreports.com/forum/remark,19632560 Sun, 16 Dec 2007 10:59:23 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632531 Elite : GMER and DarkSpy are both very reputable anti-rootkits.

IceSword is also very good.

However, none of these 3 anti-rootkits are very user-friendly. As with RkU, you really need to know what you're looking for.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19632531 Sun, 16 Dec 2007 10:50:56 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632456 swhx7 : This brought up nothing on my XP box. That one is mainly for audio/video and rarely goes online, but it's the "experimental" system where I try out all kinds of software.

Does it bother anyone else that to check for rootkits on Windows, you have to download a closed-source binary, logon as Administrator and let it exchange who-knows-what with a remote server?

I suppose prevx is a reputable company, but that would be against security policy on my main workhorse pc.]]> http://www.dslreports.com/forum/remark,19632456 Sun, 16 Dec 2007 10:34:40 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632320 Bubba17 : And, another thing .. a google of "anti rootkit" brings up lot's of offerings, including one's that, for all I know, might be rootkits masquerading as anti.

Like "GMER", which includes the blurb, "all your rootkits are belong to us". Uh huh, ok, sure they do.

Like "DarkSpy", which mentions China numerous places. I'm currently unhappy with China. Is this a trusted anti?

Just for instance.

edit: spelling]]> http://www.dslreports.com/forum/remark,19632320 Sun, 16 Dec 2007 09:56:58 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19632247 Bubba17 :
said by fatdcuk See Profile :

But still FWIW i have samples in the zoo such as Nulprot,TR-inject(Allinone)that bypass this tool and have other samples that bypass Kaspersky7 series the last time i tested it.
Here, KIS, with settings maxed and using the specific "rootkit" scan .. zip found. It's never even generated a message of any kind, false positive, nothing.

Blackbird said it, "Granted, not all folks at all points are looking for rootkits with equal skill or focus - if at all." Exactly. And, in the whole malware arena, this stealth payload delivery technique is the single thing leaving me unsasafied .. am I "really" sure I'm clean?

I've tried RootkitRevealer and, uh .. it's output, for me, cannot be called user friendly.

I've tried PREVXCSI and, for whatever reason, it wasn't happy on my system. It was early with it, maybe it would be happier now. I might re-try this.

Based on Elite's, "but that's a bit too advanced for some" qualification of RkU .. I damn sure got no business messing with it.

So, I'm still looking for additional anti-rootkit tool(s) I can wear/depend upon .. increase my sasafaction.

What is thought of F-Secure's Blacklight?
Are AVG's and McAfee's tools, already mentioned here, considered strong??

Any others?
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+

"Fast is fine, but accuracy is everything" --Wyatt Earp]]> http://www.dslreports.com/forum/remark,19632247 Sun, 16 Dec 2007 09:35:52 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19631988 Portmonkey : McAfee's Virus Scan Plus claims that it "detects and kills rootkits and other malicious applications that hide from Windows and other anti-virus programs", and it works with Vista. When I was still using XP, I switched back and forth between a few different rootkit scanners, but now I'm hoping McAfee has that area covered.
--
Ninja of the Nasty]]> http://www.dslreports.com/forum/remark,19631988 Sun, 16 Dec 2007 07:26:53 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19631965 Sindows 7 : :o]]> http://www.dslreports.com/forum/remark,19631965 Sun, 16 Dec 2007 07:02:40 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19631927 jabarnut : "This data is then sent to our Prevx Automated Malware Research Center where it is thoroughly checked and analyzed by our massively powerful servers".

Wow! :o
Had I known they had "massively powerful servers", I might have been tempted to try this a long time ago.

Now that's impressive!
--
I had a life once.....now I have a Computer and a Modem.]]> http://www.dslreports.com/forum/remark,19631927 Sun, 16 Dec 2007 06:26:43 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19631842 ctrlaltdelet : »info.prevx.com/csihelp.asp

"When Prevx CSI scans your PC it builds a mini-database of forensic data for each file it wishes to check. This data is then sent to our Prevx Automated Malware Research Center where it is thoroughly checked and analyzed by our massively powerful servers. Because we are performing a very extensive analysis on our servers, we take most of the load off of your PC. The result is a scan that is fast, always up to date and much more effective than conventional approaches."]]> http://www.dslreports.com/forum/remark,19631842 Sun, 16 Dec 2007 04:35:11 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19631398 OZO : Guys, have you noticed that Prevx sends a lot (and I mean, a lot) of encrypted data to one of its servers. Its done during the scan via multiple POST commands.

What it sends?

Is it only me?
--
Keep it simple, it'll become complex by itself...]]> http://www.dslreports.com/forum/remark,19631398 Sun, 16 Dec 2007 00:25:24 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19629642 clocks11 :
said by odreian615 See Profile :

I use AVG Anti-Rootkit free
»www.grisoft.com/doc/products-avg···1.1.0.42
works just fine IMO
I use this also, but they have not updated this thing in a long time.]]> http://www.dslreports.com/forum/remark,19629642 Sat, 15 Dec 2007 18:10:16 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19629389 Elite : Just checked out the new version of CSI, looks like rootkit detection has been improved quite a bit.

Too bad my Rustock.B sample won't run on my quad core.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19629389 Sat, 15 Dec 2007 17:15:14 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19629019 fatdcuk : They were from my zoo collection.PrevX CSI was installed/run after they were native and yep the results surprised me too :o

*I will post some support data/screenshots etc tomorrow when i have more time hopefully

But still FWIW i have samples in the zoo such as Nulprot,TR-inject(Allinone)that bypass this tool and have other samples that bypass Kaspersky7 series the last time i tested it.

So i still put may faith in forensic tools and slaving drives ;)]]> http://www.dslreports.com/forum/remark,19629019 Sat, 15 Dec 2007 15:42:21 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19628780 spy1 : »www.prevx.com/ (Chose the "Free PC Check Now" button on that page).

If you DON'T want it to install and run resident in SYSTRAY, make sure you DECLINE that choice when it's offered. Pete]]> http://www.dslreports.com/forum/remark,19628780 Sat, 15 Dec 2007 14:50:14 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19628689 AB :
said by lefty1 See Profile :

While running SystInternals RootkitRevealer, it stops every minute or so and gives me an error message about only having partial compatibility with Vista. Now why am I not surprised by that?
The most recent version of RR seems to have been released on 11/1/2006-- prior to Vista.
Likely why.

*Edit- sp]]> http://www.dslreports.com/forum/remark,19628689 Sat, 15 Dec 2007 14:33:12 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19628684 Elite : Hmmmm very interesting.

Was Prevx installed prior to the infections?

I installed my Rustock.B sample, confirmed the infection with RkU, then installed Prevx, updated it, and did a full system scan. I believe this was back in maybe August?

Prevx found NOTHING. I later tested it with Unreal.A as well, and got the same results.

I've spoken with a few of higher ups @ Prevx (like the guys who run their blog) and last I heard, their improved rootkit detection module was still in alpha stages.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19628684 Sat, 15 Dec 2007 14:32:07 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19628610 lefty1 :
Anyway, is SysInternals RootkitRevealer sufficient, or should one be using more/different tools?
While running SystInternals RootkitRevealer, it stops every minute or so and gives me an error message about only having partial compatibility with Vista. Now why am I not surprised by that?]]> http://www.dslreports.com/forum/remark,19628610 Sat, 15 Dec 2007 14:22:23 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19628600 AB :
said by daveinpoway See Profile :

Remember that infection statistics from those of us in the know does not give the true picture, since many more PC's are owned by John and Jill (Clueless) Public. Given the fog in which many of these users operate, I have no doubt that many of their systems (quite possibly considerably more than 20%) have some sort of infection(s), and these folks would have no way of knowing what sort of "guests" have hitched a ride inside of their Windows installation, nor would they understand how to evict the "guests", even if they knew they were present.
The so-called "news story" didn't say a word about '20% of all clueless user computers', that I saw.]]> http://www.dslreports.com/forum/remark,19628600 Sat, 15 Dec 2007 14:20:54 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19628349 pog : Add my PC to their list of infected:
[att=1]
As I am fairly certain this is a false positive, I wonder just how inflated Prevx's numbers are over all.
--
My Site
Click for full size
]]> http://www.dslreports.com/forum/remark,19628349 Sat, 15 Dec 2007 13:25:09 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627679 ctrlaltdelet : »www.prweb.com/releases/rootkits/···6142.htm

.....The result of these changes has been an increase in the number of PCs seen to have one or more active spyware, malware or rootkit programs running on them - from 15.6 percent or 1 in 6 during October 2007, to 22 percent or more than 1 in 5 today......]]> http://www.dslreports.com/forum/remark,19627679 Sat, 15 Dec 2007 10:38:00 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627483 tomnvik : Nothing here.
Click for full size
]]> http://www.dslreports.com/forum/remark,19627483 Sat, 15 Dec 2007 09:47:18 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627463 luddite :
said by ZZZZZZZ See Profile :

..........a popup says that there is a malicious entry in the hosts file and that it can't start until it's deleted and then it gives you a choice to delete it,but doesn't show you the actual entry?
Just ran this and encountered the same thing. It deleted everything in my HOSTS file and left a single line:
127.0.0.1 localhost

It didn't find any infections scanning it with my original HOSTS file in place or it's 'improved' version of the same.]]> http://www.dslreports.com/forum/remark,19627463 Sat, 15 Dec 2007 09:43:09 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627444 odreian615 : I use AVG Anti-Rootkit free
»www.grisoft.com/doc/products-avg···1.1.0.42
works just fine IMO]]> http://www.dslreports.com/forum/remark,19627444 Sat, 15 Dec 2007 09:39:29 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627311 hpguru :
said by Elite See Profile :

RkU, but that's a bit too advanced for some.
Isn't Rku the brainchild of rootkit authors? :huh:
--
Jesus Christ, the Queen of Queens??]]> http://www.dslreports.com/forum/remark,19627311 Sat, 15 Dec 2007 08:48:24 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627218 fatdcuk :
said by Elite See Profile :

Prevx CSI and the their full-blown HIPS both have shitty rootkit detection.

I don't know if CSI any any at all, actually.

Full product has very weak detection.
I will have to differ just this once.

I loaded up during multiple sessions Rustock A,B
Runtime2(Cutwail/bulknet),Srizbi,Haxdoor(Poof),Haxdoor.sm

and was plesently surprised when it caught them all at one level or another.So it has quite a healthy scope IMO,it also caught RKU covert system file(Hidden service) and flagged it as bad but then again we know its not bad its just its self-defence/operational module at play.

That said as with all it is not 100% because as proved when Nulprot(Saturn) went completely undetected.The pending file rename trick fooled it as with many others;)]]> http://www.dslreports.com/forum/remark,19627218 Sat, 15 Dec 2007 08:02:16 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627161 whocares :
said by spy1 See Profile :

Well, if nothing else, at least PrevX CSI agrees with everything else I have here that checks for rootkits. Pete
so PLZ someone WHERE can i d/l this "NEW",(to me) help/detection tool tool for my pc?

IS IT CALLED
PREVXCS1 1 as in #1
or

PREVXCSI I as in i

jazzy
--
SOME know how listen to both sides of an issue & discuss it,
OTHERS have a closed mind & only know how to criticize.
]]> http://www.dslreports.com/forum/remark,19627161 Sat, 15 Dec 2007 07:33:12 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19627061 daveinpoway : Remember that infection statistics from those of us in the know does not give the true picture, since many more PC's are owned by John and Jill (Clueless) Public. Given the fog in which many of these users operate, I have no doubt that many of their systems (quite possibly considerably more than 20%) have some sort of infection(s), and these folks would have no way of knowing what sort of "guests" have hitched a ride inside of their Windows installation, nor would they understand how to evict the "guests", even if they knew they were present. ]]> http://www.dslreports.com/forum/remark,19627061 Sat, 15 Dec 2007 06:12:58 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626737 Elite : RkU, but that's a bit too advanced for some.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19626737 Sat, 15 Dec 2007 01:42:21 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626704 dadkins :
said by Elite See Profile :

Prevx CSI and the their full-blown HIPS both have shitty rootkit detection.

I don't know if CSI any any at all, actually.

Full product has very weak detection.
Ok, what scanner do you like?
--
Think outside the Fox... Opera]]> http://www.dslreports.com/forum/remark,19626704 Sat, 15 Dec 2007 01:20:23 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626603 Elite : Prevx CSI and the their full-blown HIPS both have shitty rootkit detection.

I don't know if CSI any any at all, actually.

Full product has very weak detection.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,19626603 Sat, 15 Dec 2007 00:45:37 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626547 Blackbird : Hmm... if we add up all the stats (1 of 5 with rootkits, 1 of 6 with malware, 1 of 4 with bots, and so on), it won't be long before we reach a point very much like qrkx See Profile observed above when 9 out of 7 computers will have been infiltrated and infected in one way or another. It has been said: "Statistics - the last resort of scoundrels."
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,19626547 Sat, 15 Dec 2007 00:28:30 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626323 ironwalker :
quote:
25% of all computers in this world are not bots,


Maybe not now, but, trust me, a few years ago I would have agreed with that statement whoever said it.I still say it's close.]]> http://www.dslreports.com/forum/remark,19626323 Fri, 14 Dec 2007 23:39:53 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626318 Link Logger : These guys are becoming the new KINGS of FUD, and once a month they issue more FUD, anyone remember this thread »One in Six PC's Could Be Infected With Malware from last month which featured Prevx in Network World magazine and so now we have had an infection increase of 4% in the space of one month in number of infected systems (even worse, infected with rootkits) featured in another article with Prevx and PC World. Wonder which magazine will feature them next month?

OK anyone found a root kit on their system yet, as I suspect all those root kits are on someone else's systems. I not trying to say all is safe and good in the world, but these guys are becoming FUD hypsters IMHO and have lost all creditability in my book.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,19626318 Fri, 14 Dec 2007 23:39:18 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19626187 AB :
said by Blackbird See Profile :

Well, if one were to take the 1-in-5 rootkit infection stats at face value, one would naturally expect that infection rate to carry through pretty much across the spectrum. So are we seeing rootkits at that level across the board... in repair shops, at the consultant/guru level, at corporate IT departments, amongst home users, etc, etc?
No. Just like 25% of all computers in this world are not bots, as Vint Cerf suggested a while back.

But once again-- an A/V vendor saying 'just be careful and use some common sense' doesn't sell much product, does it?]]> http://www.dslreports.com/forum/remark,19626187 Fri, 14 Dec 2007 23:10:41 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19625826 dadkins : As expected... ;)
Click for full size
]]> http://www.dslreports.com/forum/remark,19625826 Fri, 14 Dec 2007 21:49:29 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19625391 Qwerky :
said by qrkx See Profile :

Well - nine out of seven dentists believe scotch is better than Novocain.
And five out of four people have trouble with fractions.

But three out of five people, aren't the other two.

Anyway, is SysInternals RootkitRevealer sufficient, or should one be using more/different tools?
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
]]> http://www.dslreports.com/forum/remark,19625391 Fri, 14 Dec 2007 20:21:41 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19624754 Blackbird :
said by qrkx See Profile :

...I thought it is agreed upon the fact that once root-ed zee boxen needs to be incinerated. ...
Nah... just the hard-drives and firmware flash chips. And in those rare instances of really pesky rootkits, the metal chassis may have to be scrubbed and rinsed thoroughly... or better still, repainted.
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,19624754 Fri, 14 Dec 2007 18:16:34 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19624716 qrkx :
said by Blackbird See Profile :

To clarify: I'm not accusing them. It's just that when you make, sell, and use hammers intensively, everything can start to look like a nail.
Well - nine out of seven dentists believe scotch is better than Novocain.

I thought it is agreed upon the fact that once root-ed zee boxen needs to be incinerated.

What I find amusing is that by the very attempt of hiding their presence, rootkits give themselves away. What if rootkits stop hooking enumerating&query API's and just operate in your face? Are we back to file signatures?

rgds.

]]> http://www.dslreports.com/forum/remark,19624716 Fri, 14 Dec 2007 18:06:18 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19624584 Blackbird : Well, if one were to take the 1-in-5 rootkit infection stats at face value, one would naturally expect that infection rate to carry through pretty much across the spectrum. So are we seeing rootkits at that level across the board... in repair shops, at the consultant/guru level, at corporate IT departments, amongst home users, etc, etc?

Granted, not all folks at all points are looking for rootkits with equal skill or focus - if at all. But still... seems to me, confirmed rootkit infections should be bubbling up in far greater numbers amongst these forum threads than what I'm personally observing. I find it curiously coincidental that Prevx, whose products are aimed at rootkits (among other things) is the one reporting these stats. To clarify: I'm not accusing them. It's just that when you make, sell, and use hammers intensively, everything can start to look like a nail.
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,19624584 Fri, 14 Dec 2007 17:50:03 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19624106 ZZZZZZZ : Prevx is one of a few I use,but my only gripe about it is that everytime I use it..........a popup says that there is a malicious entry in the hosts file and that it can't start until it's deleted and then it gives you a choice to delete it,but doesn't show you the actual entry?

And I'm positive my hosts file hasn't been compromised?
--
~~Get our troops home...now!!~~
Click for full size
]]> http://www.dslreports.com/forum/remark,19624106 Fri, 14 Dec 2007 16:36:54 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19621927 Grail Knight : Ditto.]]> http://www.dslreports.com/forum/remark,19621927 Fri, 14 Dec 2007 10:36:27 EDT Re: One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19621810 spy1 : Well, if nothing else, at least PrevX CSI agrees with everything else I have here that checks for rootkits. Pete
Click for full size
]]> http://www.dslreports.com/forum/remark,19621810 Fri, 14 Dec 2007 10:18:07 EDT One in Five PC's Infected With Rootkits http://www.dslreports.com/forum/remark,19621162 daveinpoway : Read about it here: »www.pcworld.com/article/id,14053···l_dnxnws]]> http://www.dslreports.com/forum/remark,19621162 Fri, 14 Dec 2007 07:34:25 EDT