Jump to content
xisto Community
Sign in to follow this  
dserban

Not Sure How To Interpret The Output Of The Rootkit Revealer

Recommended Posts

I ran a rootkit revealer scan on my Windows XP system, but I find it difficult to interpret the output.

Posted Image

From what I can gather, the registry key discrepancies might indicate that the registry keys storing rootkit device drivers and service settings are not visible to the Windows API, but are present in the raw scan of the registry hive data, and that the files associated with the rootkit are not visible to Windows API directory scans, but are present in the scan of the raw file system data.

The help file says that there is no definitive way to determine, based on the output, if a rootkit is present, but that you should examine all reported discrepancies to ensure that they are explainable.

 

Can anyone with a trained eye look at the output and help me with either a thumbs up or thumbs down as far as a rootkit being present on my system?

Share this post


Link to post
Share on other sites

I can give it a try but you will have to post the results.As a side note, several legitimate programs use rootkit type technologies in their functionality. I know several years back Norton Antivirus hid its definition files from the OS. This worked really well to keep viruses from attacking the definition files directly. No one realized what was going on until programs such as rootkit revealer were created and a bunch of suspicious files were popping up. Since then I have heard of several non-rootkit files being detected. You could call them a false positive. Like I said before post the results and I am sure there are several individuals here that can help you.

Share this post


Link to post
Share on other sites

If you don't know what something is, google it. There's legit reasons for hiding files from the API...some being to hide emulation software like Daemon Tools from the retarded protection schemes on game and software CDs, to hiding important antivirus engine files from potential attack from viruses. So just because it says "hidden from windows api" doesn't necessarily mean it's bad.

Share this post


Link to post
Share on other sites
interpret Rootkit revealer outputNot Sure How To Interpret The Output Of The Rootkit Revealer

Hello,

I analyzed my laptop with Rootkit revealer but I am not sure of the result is made of false positives only or if there is something to be scared of...

Here are what it found:

- HKLMSECURITYPolicySecretsSAC* 

O bytes

Key name contains embedded nulls (*)

 

- HKLMSECURITYPolicySecretsSAI* 

O bytes

Key name contains embedded nulls (*)

 

- C:System Volume Information_restore{36D576C6-D89E-469E-9FBC-...

1,39 KB

Hidden from Windows API

 

Thanks for any help or advice

 -question by Dwiggy

Share this post


Link to post
Share on other sites

I canât claim to have a definitive answer but all of these look harmless. The HKLM\SECURITY\Policy\Secrets area of the registry is where the Windows passwords are stored so it makes sense that this is hidden from the operating system during normal operation. Microsoft has also added some extra protection measures since XP to make the passwords harder to obtain (but still not that hard if you use a Linux boot CD).The C:\System Volume Information\_restore directory is related to the system restore function (https://en.wikipedia.org/wiki/System_Restore). Since this is also a fairly low level feature of Windows (you donât want malware infecting your backup) I would say that this is also fine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.