[pcuser]

Sorry REM,

I was playing with some different options in the source code last night and must have forgot to change APPEND to WRITE before compiling. It's fixed now (ver 1.0.6)

Tom

[cray1000]

awesome app. How does it compare to the other rootkit detection program listed earlier?

As far as combining it with ezpcfix, i would say make it a module of ezpcfix that can also be stand alone.... best of both worlds....

If ezpcfix supports add-on modules you can just keep adding your new programs to it as modules that work standalone....

just a suggestion...

[pcuser]

Quote

How does it compare to the other rootkit detection program listed earlier?

It doesn't scan for hidden registry entries (yet) but I'm working on it.

Quote

As far as combining it with ezpcfix, i would say make it a module of ezpcfix that can also be stand alone....  best of both worlds....

Excellent idea! I think that's what I'll do then.

Thanks for the help

Tom

[pcuser]

I attempted to add registry scanning functions today and only suceeded at opening several cans of worms

I rewrote the entire program today because I found that previous versions had a limitation of 32,768 files, so that's fixed.

I would still like to include registry scanning in the program but it's going to require adding lots of code that EzPcFix already has so if it's added in the future then it's most likely going to be integrated into EzPcFix and not in the "Standalone" version.

Please let me know about anything that needs to be changed/added/removed as this might be the final release if nothing is reported.

Like I said, it was rewritten from scratch today (completely new everything) so everything needs to be tested.

Big thanks to everyone that's helped develop and test this new project!


Tom

[lawson23]

In my eyes a rootkit has nothing to really do with the registry. As long as you can locate the bad file the registry is really a mood point. Kind of like Viruses. Registry cleaning is great because it removes error messages but it isn't the issue correct? The rootkit needs to exist as an application on the machine. Which is what the original app looks for.

Please enlighten me on why Registry scanning might be needed so that I may understand.

[pcuser]

Quote

In my eyes a rootkit has nothing to really do with the registry. As long as you can locate the bad file the registry is really a mood point. Kind of like Viruses. Registry cleaning is great because it removes error messages but it isn't the issue correct? The rootkit needs to exist as an application on the machine. Which is what the original app looks for.

Please enlighten me on why Registry scanning might be needed so that I may understand.

As long as the files are found and removed then the stealthed registry entries that the file may have been hiding will be revealed so the only purpose that I can think of is just for the sake of being complete.

Tom

[pcuser]

After thinking more about this...

It might be pointless to scan the registry just to find out where the rootkit gets started from. After all, that's the job of EzPcFix!

Tom

[lawson23]

Not a REG expert but could a program (reg entry) be written through the registry to redownload a bad app and reexecute it?

In other words I delete a virus exe but get the exe back because of a reg entry that keeps retrieving the app?

[pcuser]

Quote

Not a REG expert but could a program (reg entry) be written through the registry to redownload a bad app and reexecute it?

In other words I delete a virus exe but get the exe back because of a reg entry that keeps retrieving the app?

Yes and No.

I started explaining how this could be done but realized what I was writing was something that I don't beleive in making public (proof of concept exploits).

Yes, it is possible that an unpatched system (or with modified security settings) could be set to download and run code locally just by settings in the registry but an up to date system with the security settings set to default will at the least, warn you before doing anything like this.

EzPcFix is designed to show you all the places that apps can get loaded from so after removing a rootkit, you should run EzPcFix and find where it's getting started from.

Here's what I'm asking from anyone using this utilty to find rootkits...

If a rootkit is found, run EzPcFix (from PE/ubcd4win) to see where it's getting started from.

If you can't find it with EzPcFix then do a search in the registry with EzPcFix running and your registry hives loaded and see where it's getting started from. If it's a location that EzPcFix isn't searching then I really, really need to know about it so I can update EzPcFix to look in that location.

Thanks,

Tom

[lawson23]

Tom,
Yeah thanks for not explaining how. My big question was the possiblity? In one sense I thought yes it is possible and in another I thought no it isn't.

Thanks for clearing that up. This is a circumstance I have been wondering about for awhile now. As people may think a rootkit is scary so would something like this.

[lawson23]

Used Rootkitty for my first time today. Nice.
The only suggestion I would make is once you have the results in Rootkitty you can't scroll left to right to view long entries and have to resort to the log. Not a big deal.

[Greg214]

sorry see new thread.

This post has been edited by Greg214: 29 September 2005 - 01:36 PM

[SteelTrepid]

You probably should have started a new post about this. I'm sure Tom will find this post later today, but it makes it easier when new things are posted in their own thread.

[Greg214]

i tried to do that after u told me to but it says i do not have permission to start new topics/threads here.

thanks for trying to guide me in the right direction though.

[SteelTrepid]

Hmm, yeah....I thought about that after I posted. I couldn't remember if I "allowed" regular members to start topics here. I just changed it in my Admin. area. Sorry.