Results 1 to 4 of 4
  1. #1
    Star Lounger
    Join Date
    Jan 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    HIJACK ADS scan - quickest indication of a rootkit

    Would scanning a PC using Hijack-this (ads scan - on the tools menu).. assuming it found some alternative data streams (not including MS FAX!).... be the quickest way of having an 'indication' of a rootkit?

    Cheers
    TAJ
    TAJ Simmons
    microsoft powerpoint mvp

    awesome - powerpoint backgrounds

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: HIJACK ADS scan - quickest indication of a roo

    I would use Mark Russinovich's (oops, Microsoft's!) tool "Rootkit Revealer". Or there is a rootkit finder/remover by Sophos, the antivirus firm. And no doubt many others by the other AV manufacturers.

    I'm rather puzzled why you think that Merijn's HijackThis, which checks browser hijacking, registry entries, startup links, etc, would have anything to say about rootkits, which came after HijackThis was written...

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  3. #3
    Star Lounger
    Join Date
    Jan 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: HIJACK ADS scan - quickest indication of a roo

    John,

    Thanks for that. The reason I ask is that I was fixing a friends PC that had a rootkit on it. After the rootkit was stopped / disabled from starting.

    A scan with hijack-this' ADS scan (config > misc tools > Open ADS spy) revealed the same file where the rootkit was hidden. I forget the exact details.
    but it found something along the lines of this.
    windowssystem32nameoffile : (colon) name of hidden file within

    What I'd wish I'd have done was the hijack this ADS scan before the rootkit was disabled from starting.

    Cheers
    TAJ
    TAJ Simmons
    microsoft powerpoint mvp

    awesome - powerpoint backgrounds

  4. #4
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: HIJACK ADS scan - quickest indication of a roo

    I'm not sure that HijackThis would have even seen that file if the rootkit was still running. If my understanding of rootkits is correct, they hide themselves from detection by that sort of program almost completely.

    I have never delt with a rootkit personally (and hope I never have to). I'm basing my comment on what I've read about them.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •