45 rootkits listed on my system? Ouch!!

Discussion in 'Computer Support' started by Lance Malish, Apr 24, 2004.

  1. Lance Malish

    Lance Malish Guest

    I downloaded and ran Vice, which is a piece of software that's supposed
    to detect rootkits on a system.

    It was featured on TechTV's The Screen Savers show the other day.

    And, oh, what I found!!! Vice says I have 45 infected processes spread
    out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.

    Here's the following function names:

    Ordinal 15
    CMP_WaitNoPendingInstallEvents
    CM_Reenumerate_DevNode
    CM_Get_DevNode_Status
    CM_Get_Parent
    CM_Open_DevNote_Key_Ex
    CM_DevNode_Registry_PropertyA
    CM_Open_DevNode_Key
    CM_Locate_DevNodeW
    CM_Get_Device_ID_Size_Ex
    CM_Get_Device_IDW
    CM_Set_DevNode_Registry_PropertyW
    CM_Get_DevNode_Status

    Here's the .dlls they're affecting:


    ACTIVEDS.dll
    CFGMGR32.dll
    comcntl32.dll

    The rootkit paths are either one or the other of the following:

    C:\windows\system32\comctl32.dll
    c:\windows\system32\SETUPAPI.dll

    Now is this possible? Is Vice a good piece of software, or could this
    be a false positive?

    And if all of this is legit, how do I go about cleaning my system -
    short of reinstalling Windows? Thanks in advance for any help.
     
    Lance Malish, Apr 24, 2004
    #1
    1. Advertising

  2. Lance Malish

    Anon Guest

    "Lance Malish" <> wrote in message
    news:Rdvic.19809$_L6.1277440@attbi_s53...
    > I downloaded and ran Vice, which is a piece of software that's supposed
    > to detect rootkits on a system.
    >
    > It was featured on TechTV's The Screen Savers show the other day.
    >
    > And, oh, what I found!!! Vice says I have 45 infected processes spread
    > out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.
    >
    > Here's the following function names:


    What the heck is a rootkit? -Dave
     
    Anon, Apr 24, 2004
    #2
    1. Advertising

  3. Lance Malish

    Lance Malish Guest

    Anon wrote:
    > "Lance Malish" <> wrote in message
    > news:Rdvic.19809$_L6.1277440@attbi_s53...
    >
    >>I downloaded and ran Vice, which is a piece of software that's supposed
    >>to detect rootkits on a system.
    >>
    >>It was featured on TechTV's The Screen Savers show the other day.
    >>
    >>And, oh, what I found!!! Vice says I have 45 infected processes spread
    >>out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.
    >>
    >>Here's the following function names:

    >
    >
    > What the heck is a rootkit? -Dave
    >
    >

    A rootkit is a collection of programs that a hacker uses to mask
    intrusion and obtain administrator-level access to a computer or
    computer network. The intruder installs a rootkit on a computer after
    first obtaining user-level access, either by exploiting a known
    vulnerability or cracking a password. The rootkit then collects user ids
    and passwords to other machines on the network, thus giving the hacker
    root or privileged access.
     
    Lance Malish, Apr 24, 2004
    #3
  4. Lance Malish

    Yddap Guest

    In news:Rdvic.19809$_L6.1277440@attbi_s53,
    Lance Malish <> opined:
    > I downloaded and ran Vice, which is a piece of software that's

    supposed
    > to detect rootkits on a system.
    >
    > It was featured on TechTV's The Screen Savers show the other day.
    >
    > And, oh, what I found!!! Vice says I have 45 infected processes

    spread
    > out through C:\windows\explorer.exe and

    C:\windows\system32\svchost.exe.
    >
    > Here's the following function names:
    >
    > Ordinal 15
    > CMP_WaitNoPendingInstallEvents
    > CM_Reenumerate_DevNode
    > CM_Get_DevNode_Status
    > CM_Get_Parent
    > CM_Open_DevNote_Key_Ex
    > CM_DevNode_Registry_PropertyA
    > CM_Open_DevNode_Key
    > CM_Locate_DevNodeW
    > CM_Get_Device_ID_Size_Ex
    > CM_Get_Device_IDW
    > CM_Set_DevNode_Registry_PropertyW
    > CM_Get_DevNode_Status
    >
    > Here's the .dlls they're affecting:
    >
    >
    > ACTIVEDS.dll
    > CFGMGR32.dll
    > comcntl32.dll
    >
    > The rootkit paths are either one or the other of the following:
    >
    > C:\windows\system32\comctl32.dll
    > c:\windows\system32\SETUPAPI.dll
    >
    > Now is this possible? Is Vice a good piece of software, or could

    this
    > be a false positive?
    >
    > And if all of this is legit, how do I go about cleaning my system -
    > short of reinstalling Windows? Thanks in advance for any help.


    Where does this prog "Vice" come from ?. URL or reference please

    yddap
     
    Yddap, Apr 24, 2004
    #4
  5. Lance Malish

    why? Guest

    x-post trimmed to 24hshd.

    On Sat, 24 Apr 2004 15:34:56 GMT, Yddap wrote:

    >In news:Rdvic.19809$_L6.1277440@attbi_s53,
    >Lance Malish <> opined:
    >> I downloaded and ran Vice, which is a piece of software that's

    >supposed
    >> to detect rootkits on a system.
    >>
    >> It was featured on TechTV's The Screen Savers show the other day.
    >>

    <snip>
    >> Now is this possible? Is Vice a good piece of software, or could

    >this
    >> be a false positive?
    >>
    >> And if all of this is legit, how do I go about cleaning my system -
    >> short of reinstalling Windows? Thanks in advance for any help.

    >
    >Where does this prog "Vice" come from ?. URL or reference please


    http://www.rootkit.com/ watch out for the cookies and javascripts it
    tries to use.

    Me
     
    why?, Apr 24, 2004
    #5
  6. While still snuggled in a 'spider hole', Lance Malish
    <> scribbled:

    >I downloaded and ran Vice, which is a piece of software that's supposed
    >to detect rootkits on a system.


    Where did you get it?





    To reply by email, remove the XYZ.

    Lumber Cartel (tinlc) #2063. Spam this account at your own risk.

    This sig censored by the Office of Home and Land Insecurity....
     
    Never anonymous Bud, Apr 24, 2004
    #6
  7. Lance Malish

    Boomer Guest

    Lance Malish <> wrote in
    news:Rdvic.19809$_L6.1277440@attbi_s53:

    > I downloaded and ran Vice, which is a piece of software that's
    > supposed to detect rootkits on a system.
    >
    > It was featured on TechTV's The Screen Savers show the other day.
    >
    > And, oh, what I found!!! Vice says I have 45 infected processes
    > spread out through C:\windows\explorer.exe and
    > C:\windows\system32\svchost.exe.
    >
    > Here's the following function names:
    >
    > Ordinal 15
    > CMP_WaitNoPendingInstallEvents
    > CM_Reenumerate_DevNode
    > CM_Get_DevNode_Status
    > CM_Get_Parent
    > CM_Open_DevNote_Key_Ex
    > CM_DevNode_Registry_PropertyA
    > CM_Open_DevNode_Key
    > CM_Locate_DevNodeW
    > CM_Get_Device_ID_Size_Ex
    > CM_Get_Device_IDW
    > CM_Set_DevNode_Registry_PropertyW
    > CM_Get_DevNode_Status
    >
    > Here's the .dlls they're affecting:
    >
    >
    > ACTIVEDS.dll
    > CFGMGR32.dll
    > comcntl32.dll
    >
    > The rootkit paths are either one or the other of the following:
    >
    > C:\windows\system32\comctl32.dll
    > c:\windows\system32\SETUPAPI.dll
    >
    > Now is this possible? Is Vice a good piece of software, or could
    > this be a false positive?


    "Known User API False Positives"
    http://www.rootkit.com/

    >
    > And if all of this is legit, how do I go about cleaning my system
    > - short of reinstalling Windows? Thanks in advance for any help.
    >
    >
     
    Boomer, Apr 24, 2004
    #7
  8. Lance Malish

    slumpy Guest

    ....and with no more than a cursory glance at the dead camel Boomer decided
    it was time to put the World to rights with this little gem:

    >> I downloaded and ran Vice, which is a piece of software that's
    >> supposed to detect rootkits on a system.
    >> Now is this possible? Is Vice a good piece of software, or could
    >> this be a false positive?

    >
    > "Known User API False Positives"
    > http://www.rootkit.com/


    In other words, RTFM !! ;-)
    --
    slumpy
    no more
    no less
    just me
    (well what the **** did you expect ?)
     
    slumpy, Apr 24, 2004
    #8
  9. Lance Malish

    Mr. Grinch Guest

    Lance Malish <> wrote in
    news:Rdvic.19809$_L6.1277440@attbi_s53:

    > I downloaded and ran Vice, which is a piece of software that's supposed
    > to detect rootkits on a system.
    >
    > It was featured on TechTV's The Screen Savers show the other day.
    >


    I think there are a lot of false positives. I'm running Server 2003 and it
    reported several files as infected. I went and did some binary file
    comparisons with the originals off the CD and they are identical. These
    files are not listed under the "known false positives" yet but they haven't
    tested on 2003 yet.

    I also have a ghost image of my system, created after a fresh install, with
    NO network connection. I restored this and checked it out with VICE,
    again, it reports several rootkits / infected files. This is from a fresh
    install of Server 2003 from Microsoft.

    For me, something that generates so many false positives is a waste of
    time. I'm sticking with Trend Server Protect real-time antivirus for now,
    along with the a manual scan using other other products.
     
    Mr. Grinch, Apr 25, 2004
    #9
  10. Lance Malish

    mhicaoidh Guest

    Taking a moment's reflection, Lance Malish mused:
    |
    | Now is this possible? Is Vice a good piece of software, or could this
    | be a false positive?

    They have support forums on the website you should probably post these
    in. Though, from the Rootkit website:

    "Warning
    This software is brand new and is known to throw some false postives,
    especially with the user-mode rootkit detection. If you scan your system and
    it informs you that you have a rootkit infection, you may not have a rootkit
    infection, but instead a false positive - so relax - it would be helpful if
    you post the results that you obtain so the authors can improve the
    detection algorithm. Most important is the address of the hook, and the name
    of the DLL that is performing the hook.

    Known User API False Positives
    shim.dll
    setupapi.dll
    comctl32.dll (Usually seen with Outlook running)
    sfc_os.dll and sfc.dll (Used for Microsoft Windows File Protection)
    adsldpc.dll

    Known Kernel False Positives
    1. IRP's hooked by a file in the sytem root directory named ntoskrnl.exe
    2. Functions hooked by vsdataant.sys (Only if you have Zone Alarm)"


    | And if all of this is legit, how do I go about cleaning my system -
    | short of reinstalling Windows? Thanks in advance for any help.

    Well, I watched the segment on the TechTV website, and they recommended
    you mount your drive as a slave in another system, and delete the rootkits
    you know are not false positives.
     
    mhicaoidh, Apr 27, 2004
    #10
  11. Lance Malish

    Mr. Grinch Guest

    "mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailŠPäM.com> wrote in
    news:_Dvjc.51377$aQ6.3907133@attbi_s51:

    > Taking a moment's reflection, Lance Malish mused:
    >|
    >| Now is this possible? Is Vice a good piece of software, or could
    >| this be a false positive?
    >
    > They have support forums on the website you should probably post
    > these
    > in. Though, from the Rootkit website:


    The website seems to list very few false positives. They don't seem to be
    updating it after people email them new ones. No doubt, it takes them time
    to confirm and test these things first. But they don't appear to be in a
    hurry to confirm new falses. I noticed they haven't bothered to test under
    Server 2003, where I've found several falses. I don't really expect a
    response but hope they do look into it.

    The "scan" progress indicator is broken too. It goes straight to the last
    bar and sits there forever. OK, they've learned how to create a fancy
    progress bar, but can't be bothered to make it mean something. Why bother
    coding it in the first place if you're not going to make it work? Same
    goes for OS version check. If you're going to check the OS version, why
    not let the user know it's untested for their version, instead of
    proceeding to give warnings on a system you know nothing about? I guess
    people have different expectations, especially when it comes to coding
    security software.

    >| And if all of this is legit, how do I go about cleaning my system -
    >| short of reinstalling Windows? Thanks in advance for any help.
    >
    > Well, I watched the segment on the TechTV website, and they
    > recommended
    > you mount your drive as a slave in another system, and delete the
    > rootkits you know are not false positives.


    I wonder how many people are going to delete critical files or rebuild
    their system only to find the same false positives afterwards. Does the
    web site give a lot of info on how to confirm false positives? Not the
    last time I checked. I keep Ghost images, so I was able to test out a
    vanilla base build to confirm the false positives. Most people aren't so
    lucky.

    If they want people to beta test their app for them, it would go a long way
    if they figured out how to dump logs so users could esily email them the
    info required to confirm positives / false positives. Personally, I'd be
    ashamed to send something like this out and ask people to use it. But
    then, I'll never have my ugly mug shown on Tech TV either, which is
    probably a good thing.
     
    Mr. Grinch, Apr 27, 2004
    #11
  12. Lance Malish <> wrote in
    news:Rdvic.19809$_L6.1277440@attbi_s53:

    > I downloaded and ran Vice, which is a piece of software
    > that's supposed to detect rootkits on a system.
    >
    > It was featured on TechTV's The Screen Savers show the other
    > day.
    >
    > And, oh, what I found!!! Vice says I have 45 infected
    > processes spread out through C:\windows\explorer.exe and
    > C:\windows\system32\svchost.exe.
    >
    > Here's the following function names:
    >
    > Ordinal 15
    > CMP_WaitNoPendingInstallEvents
    > CM_Reenumerate_DevNode
    > CM_Get_DevNode_Status
    > CM_Get_Parent
    > CM_Open_DevNote_Key_Ex
    > CM_DevNode_Registry_PropertyA
    > CM_Open_DevNode_Key
    > CM_Locate_DevNodeW
    > CM_Get_Device_ID_Size_Ex
    > CM_Get_Device_IDW
    > CM_Set_DevNode_Registry_PropertyW
    > CM_Get_DevNode_Status
    >
    > Here's the .dlls they're affecting:
    >
    >
    > ACTIVEDS.dll
    > CFGMGR32.dll
    > comcntl32.dll
    >
    > The rootkit paths are either one or the other of the
    > following:
    >
    > C:\windows\system32\comctl32.dll
    > c:\windows\system32\SETUPAPI.dll
    >
    > Now is this possible? Is Vice a good piece of software, or
    > could this be a false positive?
    >
    > And if all of this is legit, how do I go about cleaning my
    > system - short of reinstalling Windows? Thanks in advance
    > for any help.
    >



    It *could* be a false positive... There's something funky about
    that whole "root kit" deal!

    http://rootkit.com/

    When I went to their site after the Screen Savers telecast, signed
    up, and during the download, my system froze out on the first try.
    Nothing's getting in here without a request coming from here, and
    then it's going to a sandbox...

    I shut down my network, scanned = nada. Rebooted, went back,
    downloaded "Vice", scanned it of course, put it in my C:\
    directory, ran it, and pulled up about 4 dozen hits...

    Went through and traced a good many of them down, pulled up
    Properties on the files - geezus - most of them are M$ sys files,
    a couple were ZA files having to do with vsmon dependincies and
    the like... Some PestPatrol dependincies...

    I've been patrolling the forums, but it doesn't seem very
    responsive to the issues being posted.

    Here's where I've resolved it: If Steve Gibson hasn't thrown out a
    flurry of red-flags, and my other scans are coming up clean, I'm
    blowing them off as some kind of hoax or probe until there's some
    reliable feedback going on.

    Am I the only one?

    Thanks to your post, I think probably not! (o;

    Thanks for the post and good luck!
     
    Bucky Breeder, Apr 27, 2004
    #12
  13. Bucky Breeder wrote:

    > Here's where I've resolved it: If Steve Gibson hasn't thrown out a
    > flurry of red-flags, and my other scans are coming up clean, I'm
    > blowing them off as some kind of hoax or probe until there's some
    > reliable feedback going on.


    From the buzz already posted, it's not a hoax--just incompetent twits
    alpha-testing software and getting CNet to go along with their bullshit.
    (Or maybe they've paid CNet to plug it....)

    > Am I the only one?


    Nope. See other postings in this group.

    --
    Gary G. Taylor * Rialto, CA
    gary at donavan dot org / http:// geetee dot donavan dot org
    "The two most abundant things in the universe
    are hydrogen and stupidity." --Harlan Ellison
     
    Gary G. Taylor, Apr 27, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Blinky the Shark

    OE/MAC (Ouch!) - Quoting With ">"

    Blinky the Shark, Jan 3, 2005, in forum: Computer Support
    Replies:
    19
    Views:
    798
    =?ISO-8859-1?Q?Brian_H=B9=A9?=
    Jan 4, 2005
  2. Smokey

    Ouch!!

    Smokey, May 17, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    667
    Old Gringo
    May 17, 2005
  3. Dutch

    10D Happy dance (but ouch my wallet <grin>)

    Dutch, Sep 19, 2003, in forum: Digital Photography
    Replies:
    10
    Views:
    548
  4. Kimba W. Lion

    Rootkits on DVDs

    Kimba W. Lion, Feb 15, 2006, in forum: DVD Video
    Replies:
    2
    Views:
    439
    Nicholas Andrade
    Feb 15, 2006
  5. Alind

    Detecting rootkits?

    Alind, Jun 25, 2005, in forum: Computer Security
    Replies:
    6
    Views:
    505
    Jim Watt
    Jun 26, 2005
Loading...

Share This Page