[Nap]

Hi
somebody know a good anti rootkit detector ??
i google and found

Rootkit Detector Profesional 2004 v0.62
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es

very good program and it founds a rootkit on my remote box but if i stops the service from the rootkit it is allwaystill hide (rootkits-prozess, service and regkey entries)

look @ results

[code]. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 256 services )
-Gathering process List Information... ( Found: 32 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\winnt\system32\smss.exe
c:\winnt\system32\csrss.exe
c:\winnt\system32\winlogon.exe
c:\winnt\system32\lsass.exe
c:\winnt\system32\dllhost.exe
c:\winnt\system32\termsrv.exe
c:\winnt\system32\svchost.exe
c:\winnt\system32\msdtc.exe
c:\progra~1\navnt\vptray.exe
c:\winnt\system32\svchost.exe
c:\imail\iwebcal.exe
c:\imail\iwebmsg.exe
c:\progra~1\micros~3\mssql\binn\sqlservr.exe
c:\program files\persits software\aspemail\bin\emailagent.exe
c:\imail\pop3d32.exe
c:\winnt\system32\mstask.exe
c:\imail\smtpd32.exe
c:\winnt\system32\wbem\winmgmt.exe
c:\winnt\system32\inetsrv\inetinfo.exe
c:\program files\navnt\rtvscan.exe
c:\winnt\system32\msgsys.exe
c:\winnt\system32\dllhost.exe
c:\progra~1\micros~3\mssql\binn\sqlagent.exe
c:\winnt\system32\winlogon.exe
c:\winnt\explorer.exe
c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
c:\rkdetector.exe
c:\winnt\system32\csrss.exe
c:\winnt\system32\cmd.exe
c:\winnt\system32\rdpclip.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 24 wrong Services )
-------------------------------------------------------------------------------
*SV: alerter (alerter) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: AppMgmt (Application Management) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Browser (Computer Browser) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Dhcp (DHCP Client) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: dmserver (Logical Disk Manager) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Dnscache (DNS Client) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Eventlog (Event Log) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: HackerDefenderDrv084 (HackerDefenderDrv084) PATH: c:\winnt\system32\temps\tmp\hxdefdrv.sys
-------------------------------------------------------------------------------
*SV: lanmanserver (Server) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: lanmanworkstation (Workstation) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: LmHosts (TCP/IP NetBIOS Helper Service) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Messenger (Messenger) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: PlugPlay (Plug and Play) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: ProtectedStorage (Protected Storage) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: seclogon (RunAs Service) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: TrkSvr (Distributed Link Tracking Server) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: TrkWks (Distributed Link Tracking Client) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: W32Time (Windows Time) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Wmi (Windows Management Instrumentation Driver Extensions) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 1 running rootkits)
-------------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER >= v0.82 FOUND. Path not available

i stops the rootkit service but i dont come in the path (c:\winnt\system32\temps\tmp) Win2k says "nothing found"

i run norton anti viru but it found nothing

[Reckless]

Yes, Hackerdefender makes the folder virtually non-existent. That is why c:\winnt\system32\temps\tmp couldn't be found. If the folder "dosen't exist".. then its quite obvious the a/v scanner cannot scan it ... Unless the hexdef.ini file or the client backdoor is detected by an antivirus, the rest of the files can't be found..

there was a tool on rootkit.com , i think it was called "WISE" .. not too sure.. cannnot verify as the site is down rite now..

Rootkitdetector 0.62 <-- that was posted on gso, but i think its in the "Member only" file download section ..

The best solution would be to reformat...

[r3L4x]

boot into dos and take it out. Or a live distro of linux (knoppix)

[Bombers]

I think those detectors must be banned from the internet... a rootkit is a method to hide stuff from other processes or users... This never ever may be broke by antything! It's a techonology

[ice_cold45]

Bombers, on Nov 1 2004, 12:20 PM, said:

I think those detectors must be banned from the internet... a rootkit is a method to hide stuff from other processes or users... This never ever may be broke by antything! It's a techonology

<{POST_SNAPBACK}>

lol they must be :D
anyway as long as we boot in windows i think you are rightt they may never be broken
but we could add a few lines to the autoexec.bat to make sure our the system is clean like dir /s hxdef*.*

[tnp]

isn't it able to undetect rootkit with morphine or a simple hexeditor?

[Bombers]

the detectors will always see the hooked api's.. you can try to hide common rootkit detectors in your rootkit configuration... that's what i do :)

[strych_nine]

can you tell us the names of the files that needs to be hidden?

[jubbly]

winrar gives good browsing of a hdd to remove files/folders that are hidden but I would take r3L4x's advice and use a live linux cd to boot from and remove it that way.

[Serhat]

I deleted somthing like this once..
just by using my cygwin installation.. SSH'ing to it.. and use rm filename .. pretty weird..
I think it somehow hooks some api calls.. and returns nothing back when it got the path of the rootkit?

Serhat

[teamcrunk2k5]

Sorry to ask this question, but i was just woundering, does anyone know any good sites for root kits or autoroot kits, and how would i go about rooting webdev? i've tried sql, i would like to know other ways and where i can get rootkits or autoroot kits or information about other rooting ways thanks, from a noobie<---------