I downloaded and ran Vice, which is a piece of software that's supposed to detect rootkits on a system. It was featured on TechTV's The Screen Savers show the other day. And, oh, what I found!!! Vice says I have 45 infected processes spread out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe. Here's the following function names: Ordinal 15 CMP_WaitNoPendingInstallEvents CM_Reenumerate_DevNode CM_Get_DevNode_Status CM_Get_Parent CM_Open_DevNote_Key_Ex CM_DevNode_Registry_PropertyA CM_Open_DevNode_Key CM_Locate_DevNodeW CM_Get_Device_ID_Size_Ex CM_Get_Device_IDW CM_Set_DevNode_Registry_PropertyW CM_Get_DevNode_Status Here's the .dlls they're affecting: ACTIVEDS.dll CFGMGR32.dll comcntl32.dll The rootkit paths are either one or the other of the following: C:\windows\system32\comctl32.dll c:\windows\system32\SETUPAPI.dll Now is this possible? Is Vice a good piece of software, or could this be a false positive? And if all of this is legit, how do I go about cleaning my system - short of reinstalling Windows? Thanks in advance for any help.
A rootkit is a collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. The rootkit then collects user ids and passwords to other machines on the network, thus giving the hacker root or privileged access.
x-post trimmed to 24hshd. http://www.rootkit.com/ watch out for the cookies and javascripts it tries to use. Me
While still snuggled in a 'spider hole', Lance Malish Where did you get it? To reply by email, remove the XYZ. Lumber Cartel (tinlc) #2063. Spam this account at your own risk. This sig censored by the Office of Home and Land Insecurity....
I think there are a lot of false positives. I'm running Server 2003 and it reported several files as infected. I went and did some binary file comparisons with the originals off the CD and they are identical. These files are not listed under the "known false positives" yet but they haven't tested on 2003 yet. I also have a ghost image of my system, created after a fresh install, with NO network connection. I restored this and checked it out with VICE, again, it reports several rootkits / infected files. This is from a fresh install of Server 2003 from Microsoft. For me, something that generates so many false positives is a waste of time. I'm sticking with Trend Server Protect real-time antivirus for now, along with the a manual scan using other other products.
Taking a moment's reflection, Lance Malish mused: | | Now is this possible? Is Vice a good piece of software, or could this | be a false positive? They have support forums on the website you should probably post these in. Though, from the Rootkit website: "Warning This software is brand new and is known to throw some false postives, especially with the user-mode rootkit detection. If you scan your system and it informs you that you have a rootkit infection, you may not have a rootkit infection, but instead a false positive - so relax - it would be helpful if you post the results that you obtain so the authors can improve the detection algorithm. Most important is the address of the hook, and the name of the DLL that is performing the hook. Known User API False Positives shim.dll setupapi.dll comctl32.dll (Usually seen with Outlook running) sfc_os.dll and sfc.dll (Used for Microsoft Windows File Protection) adsldpc.dll Known Kernel False Positives 1. IRP's hooked by a file in the sytem root directory named ntoskrnl.exe 2. Functions hooked by vsdataant.sys (Only if you have Zone Alarm)" | And if all of this is legit, how do I go about cleaning my system - | short of reinstalling Windows? Thanks in advance for any help. Well, I watched the segment on the TechTV website, and they recommended you mount your drive as a slave in another system, and delete the rootkits you know are not false positives.
The website seems to list very few false positives. They don't seem to be updating it after people email them new ones. No doubt, it takes them time to confirm and test these things first. But they don't appear to be in a hurry to confirm new falses. I noticed they haven't bothered to test under Server 2003, where I've found several falses. I don't really expect a response but hope they do look into it. The "scan" progress indicator is broken too. It goes straight to the last bar and sits there forever. OK, they've learned how to create a fancy progress bar, but can't be bothered to make it mean something. Why bother coding it in the first place if you're not going to make it work? Same goes for OS version check. If you're going to check the OS version, why not let the user know it's untested for their version, instead of proceeding to give warnings on a system you know nothing about? I guess people have different expectations, especially when it comes to coding security software. I wonder how many people are going to delete critical files or rebuild their system only to find the same false positives afterwards. Does the web site give a lot of info on how to confirm false positives? Not the last time I checked. I keep Ghost images, so I was able to test out a vanilla base build to confirm the false positives. Most people aren't so lucky. If they want people to beta test their app for them, it would go a long way if they figured out how to dump logs so users could esily email them the info required to confirm positives / false positives. Personally, I'd be ashamed to send something like this out and ask people to use it. But then, I'll never have my ugly mug shown on Tech TV either, which is probably a good thing.
It *could* be a false positive... There's something funky about that whole "root kit" deal! http://rootkit.com/ When I went to their site after the Screen Savers telecast, signed up, and during the download, my system froze out on the first try. Nothing's getting in here without a request coming from here, and then it's going to a sandbox... I shut down my network, scanned = nada. Rebooted, went back, downloaded "Vice", scanned it of course, put it in my C:\ directory, ran it, and pulled up about 4 dozen hits... Went through and traced a good many of them down, pulled up Properties on the files - geezus - most of them are M$ sys files, a couple were ZA files having to do with vsmon dependincies and the like... Some PestPatrol dependincies... I've been patrolling the forums, but it doesn't seem very responsive to the issues being posted. Here's where I've resolved it: If Steve Gibson hasn't thrown out a flurry of red-flags, and my other scans are coming up clean, I'm blowing them off as some kind of hoax or probe until there's some reliable feedback going on. Am I the only one? Thanks to your post, I think probably not! (o; Thanks for the post and good luck!
From the buzz already posted, it's not a hoax--just incompetent twits alpha-testing software and getting CNet to go along with their bullshit. (Or maybe they've paid CNet to plug it....) Nope. See other postings in this group.
