45 rootkits listed on my system? Ouch!!

Discussion in 'Computer Support' started by Lance Malish, Apr 24, 2004.

  1. Lance Malish

    Lance Malish Guest

    I downloaded and ran Vice, which is a piece of software that's supposed
    to detect rootkits on a system.

    It was featured on TechTV's The Screen Savers show the other day.

    And, oh, what I found!!! Vice says I have 45 infected processes spread
    out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.

    Here's the following function names:

    Ordinal 15
    CMP_WaitNoPendingInstallEvents
    CM_Reenumerate_DevNode
    CM_Get_DevNode_Status
    CM_Get_Parent
    CM_Open_DevNote_Key_Ex
    CM_DevNode_Registry_PropertyA
    CM_Open_DevNode_Key
    CM_Locate_DevNodeW
    CM_Get_Device_ID_Size_Ex
    CM_Get_Device_IDW
    CM_Set_DevNode_Registry_PropertyW
    CM_Get_DevNode_Status

    Here's the .dlls they're affecting:


    ACTIVEDS.dll
    CFGMGR32.dll
    comcntl32.dll

    The rootkit paths are either one or the other of the following:

    C:\windows\system32\comctl32.dll
    c:\windows\system32\SETUPAPI.dll

    Now is this possible? Is Vice a good piece of software, or could this
    be a false positive?

    And if all of this is legit, how do I go about cleaning my system -
    short of reinstalling Windows? Thanks in advance for any help.
     
    Lance Malish, Apr 24, 2004
    #1
    1. Advertisements

  2. Lance Malish

    Anon Guest

    What the heck is a rootkit? -Dave
     
    Anon, Apr 24, 2004
    #2
    1. Advertisements

  3. Lance Malish

    Lance Malish Guest

    A rootkit is a collection of programs that a hacker uses to mask
    intrusion and obtain administrator-level access to a computer or
    computer network. The intruder installs a rootkit on a computer after
    first obtaining user-level access, either by exploiting a known
    vulnerability or cracking a password. The rootkit then collects user ids
    and passwords to other machines on the network, thus giving the hacker
    root or privileged access.
     
    Lance Malish, Apr 24, 2004
    #3
  4. Lance Malish

    Yddap Guest

    In
    Where does this prog "Vice" come from ?. URL or reference please

    yddap
     
    Yddap, Apr 24, 2004
    #4
  5. Lance Malish

    why? Guest

    x-post trimmed to 24hshd.

    http://www.rootkit.com/ watch out for the cookies and javascripts it
    tries to use.

    Me
     
    why?, Apr 24, 2004
    #5
  6. While still snuggled in a 'spider hole', Lance Malish
    Where did you get it?





    To reply by email, remove the XYZ.

    Lumber Cartel (tinlc) #2063. Spam this account at your own risk.

    This sig censored by the Office of Home and Land Insecurity....
     
    Never anonymous Bud, Apr 24, 2004
    #6
  7. Lance Malish

    Boomer Guest

    "Known User API False Positives"
    http://www.rootkit.com/
     
    Boomer, Apr 24, 2004
    #7
  8. Lance Malish

    Mr. Grinch Guest

    I think there are a lot of false positives. I'm running Server 2003 and it
    reported several files as infected. I went and did some binary file
    comparisons with the originals off the CD and they are identical. These
    files are not listed under the "known false positives" yet but they haven't
    tested on 2003 yet.

    I also have a ghost image of my system, created after a fresh install, with
    NO network connection. I restored this and checked it out with VICE,
    again, it reports several rootkits / infected files. This is from a fresh
    install of Server 2003 from Microsoft.

    For me, something that generates so many false positives is a waste of
    time. I'm sticking with Trend Server Protect real-time antivirus for now,
    along with the a manual scan using other other products.
     
    Mr. Grinch, Apr 25, 2004
    #8
  9. Lance Malish

    mhicaoidh Guest

    Taking a moment's reflection, Lance Malish mused:
    |
    | Now is this possible? Is Vice a good piece of software, or could this
    | be a false positive?

    They have support forums on the website you should probably post these
    in. Though, from the Rootkit website:

    "Warning
    This software is brand new and is known to throw some false postives,
    especially with the user-mode rootkit detection. If you scan your system and
    it informs you that you have a rootkit infection, you may not have a rootkit
    infection, but instead a false positive - so relax - it would be helpful if
    you post the results that you obtain so the authors can improve the
    detection algorithm. Most important is the address of the hook, and the name
    of the DLL that is performing the hook.

    Known User API False Positives
    shim.dll
    setupapi.dll
    comctl32.dll (Usually seen with Outlook running)
    sfc_os.dll and sfc.dll (Used for Microsoft Windows File Protection)
    adsldpc.dll

    Known Kernel False Positives
    1. IRP's hooked by a file in the sytem root directory named ntoskrnl.exe
    2. Functions hooked by vsdataant.sys (Only if you have Zone Alarm)"


    | And if all of this is legit, how do I go about cleaning my system -
    | short of reinstalling Windows? Thanks in advance for any help.

    Well, I watched the segment on the TechTV website, and they recommended
    you mount your drive as a slave in another system, and delete the rootkits
    you know are not false positives.
     
    mhicaoidh, Apr 27, 2004
    #9
  10. Lance Malish

    Mr. Grinch Guest

    The website seems to list very few false positives. They don't seem to be
    updating it after people email them new ones. No doubt, it takes them time
    to confirm and test these things first. But they don't appear to be in a
    hurry to confirm new falses. I noticed they haven't bothered to test under
    Server 2003, where I've found several falses. I don't really expect a
    response but hope they do look into it.

    The "scan" progress indicator is broken too. It goes straight to the last
    bar and sits there forever. OK, they've learned how to create a fancy
    progress bar, but can't be bothered to make it mean something. Why bother
    coding it in the first place if you're not going to make it work? Same
    goes for OS version check. If you're going to check the OS version, why
    not let the user know it's untested for their version, instead of
    proceeding to give warnings on a system you know nothing about? I guess
    people have different expectations, especially when it comes to coding
    security software.
    I wonder how many people are going to delete critical files or rebuild
    their system only to find the same false positives afterwards. Does the
    web site give a lot of info on how to confirm false positives? Not the
    last time I checked. I keep Ghost images, so I was able to test out a
    vanilla base build to confirm the false positives. Most people aren't so
    lucky.

    If they want people to beta test their app for them, it would go a long way
    if they figured out how to dump logs so users could esily email them the
    info required to confirm positives / false positives. Personally, I'd be
    ashamed to send something like this out and ask people to use it. But
    then, I'll never have my ugly mug shown on Tech TV either, which is
    probably a good thing.
     
    Mr. Grinch, Apr 27, 2004
    #10

  11. It *could* be a false positive... There's something funky about
    that whole "root kit" deal!

    http://rootkit.com/

    When I went to their site after the Screen Savers telecast, signed
    up, and during the download, my system froze out on the first try.
    Nothing's getting in here without a request coming from here, and
    then it's going to a sandbox...

    I shut down my network, scanned = nada. Rebooted, went back,
    downloaded "Vice", scanned it of course, put it in my C:\
    directory, ran it, and pulled up about 4 dozen hits...

    Went through and traced a good many of them down, pulled up
    Properties on the files - geezus - most of them are M$ sys files,
    a couple were ZA files having to do with vsmon dependincies and
    the like... Some PestPatrol dependincies...

    I've been patrolling the forums, but it doesn't seem very
    responsive to the issues being posted.

    Here's where I've resolved it: If Steve Gibson hasn't thrown out a
    flurry of red-flags, and my other scans are coming up clean, I'm
    blowing them off as some kind of hoax or probe until there's some
    reliable feedback going on.

    Am I the only one?

    Thanks to your post, I think probably not! (o;

    Thanks for the post and good luck!
     
    Bucky Breeder, Apr 27, 2004
    #11
  12. From the buzz already posted, it's not a hoax--just incompetent twits
    alpha-testing software and getting CNet to go along with their bullshit.
    (Or maybe they've paid CNet to plug it....)
    Nope. See other postings in this group.
     
    Gary G. Taylor, Apr 27, 2004
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.