Not Sure How To Interpret The Output Of The Rootkit Revealer

	Not Sure How To Interpret The Output Of The Rootkit Revealer
	Discussion by dserban with 5 Replies. Last Update: January 11, 2010, 11:16 pm

dserban

I ran a rootkit revealer scan on my Windows XP system, but I find it difficult to interpret the output.

From what I can gather, the registry key discrepancies might indicate that the registry keys storing rootkit device drivers and service settings are not visible to the Windows API, but are present in the raw scan of the registry hive data, and that the files associated with the rootkit are not visible to Windows API directory scans, but are present in the scan of the raw file system data.
The help file says that there is no definitive way to determine, based on the output, if a rootkit is present, but that you should examine all reported discrepancies to ensure that they are explainable.

Can anyone with a trained eye look at the output and help me with either a thumbs up or thumbs down as far as a rootkit being present on my system?

Mon Sep 10, 2007 Reply New Discussion

tansqrx

I can give it a try but you will have to post the results.

As a side note, several legitimate programs use rootkit type technologies in their functionality. I know several years back Norton Antivirus hid its definition files from the OS. This worked really well to keep viruses from attacking the definition files directly. No one realized what was going on until programs such as rootkit revealer were created and a bunch of suspicious files were popping up. Since then I have heard of several non-rootkit files being detected. You could call them a false positive. Like I said before post the results and I am sure there are several individuals here that can help you.

Mon Sep 10, 2007 Reply New Discussion

dserban

I have saved the results in jpg format and included the picture in the post above.
The results can also be viewed at:
http://www.imagefilez.com/out.php/i162695_revealer.jpg

Tue Sep 11, 2007 Reply New Discussion

ethergeek

If you don't know what something is, google it. There's legit reasons for hiding files from the API...some being to hide emulation software like Daemon Tools from the retarded protection schemes on game and software CDs, to hiding important antivirus engine files from potential attack from viruses. So just because it says "hidden from windows api" doesn't necessarily mean it's bad.

Tue Sep 11, 2007 Reply New Discussion

(G)Dwiggy

interpret Rootkit revealer outputNot Sure How To Interpret The Output Of The Rootkit Revealer

Hello,

I analyzed my laptop with Rootkit revealer but I am not sure of the result is made of false positives only or if there is something to be scared of...

Here are what it found:

- HKLMSECURITYPolicySecretsSAC*

O bytes

Key name contains embedded nulls (*)

- HKLMSECURITYPolicySecretsSAI*

O bytes

Key name contains embedded nulls (*)

- C:System Volume Information_restore{36D576C6-D89E-469E-9FBC-...

1,39 KB

Hidden from Windows API

Thanks for any help or advice

-question by Dwiggy

Sun Dec 27, 2009 Reply New Discussion

tansqrx

I can�t claim to have a definitive answer but all of these look harmless.

The HKLM\SECURITY\Policy\Secrets area of the registry is where the Windows passwords are stored so it makes sense that this is hidden from the operating system during normal operation. Microsoft has also added some extra protection measures since XP to make the passwords harder to obtain (but still not that hard if you use a Linux boot CD).

The C:\System Volume Information\_restore directory is related to the system restore function (http://en.wikipedia.org/wiki/System_Restore). Since this is also a fairly low level feature of Windows (you don�t want malware infecting your backup) I would say that this is also fine.

Mon Jan 11, 2010 Reply New Discussion