Hidden Rootkit

I have the same issue.

Since it is a root kit, i am most interested in finding out what the SID identifies, but am unable to read the hex code identifier. see attached

Hello gypsydan,

Sysinternal's psgetsid.exe will translate a SID to an account (user name) and v.v.  I don't think this is an indication of a rootkit though - could you please post SAR's output?

Christian

Thank you Christian,

HKEY_USERS_S-1-5-21-1390067357-299502267-725345543-1006 is hidden, wouldn't that make it a rootkit?

What is SAR?

using xp-home

 Using version 1.3.1 of sophos rootkit . 

V.1.5 will not work on my machine. 

Dan

Hi Christian,

You are probably correct, this might not be a rootkit.

But then what would it be, for when I run SAR the registry key key shows as hidden,  BUT,  I can also see it in the registry.  Why?

AND, this was an nVidia user ID for their latest releases, see this link

Apparently they are trying to hide user iDs for gamers

Dan

See this link.  It appears to be from nVidia.

Maybe Christian will have more on it later.

http://reclaimyourgame.com/threads/4630-Nvidia-version-270-drivers-make-a-hidden-UpdatusUser-account-on-your-system!

Hello Dan,

good work. Guess you've found the cause.

Hidden doesn't mean totally invisible - how else could SAR find it. Maybe this explanation can make it a little bit clearer: Names of objects (files, folders, registry keys, ...) are recorded in a parent object. If you have at least read access to the parent object you can enumerate these names. Sometimes the Windows interfaces (e.g. Explorer) hide (by default but you can de-select this) the (names of) objects because of certain attributes or ACLs (access control lists). If you have a folder where only SYSTEM has access (System Volume Information is an example) you will get Access denied when trying to open it. But using the properties dialog you - as administrator - can take ownership and then add yourself to the access list and then you'll see what's inside (no, I don't recommend you try it). Sometimes a vendor thinks that users must be protected from themselves (and their product from the users) and they try to hide certain data from casual inspection and alteration (and in some cases try to enforce intellectual property rights this way). While often (but not always) done with good intentions this approach is arguable - as you see yourself.

This is why SAR (and similar products) only speak of possibilities unless additional findings (or matching signatures) confirm that the detected item belongs to a rootkit.

Christian   

Anti-Rootkit tools (including Sophos) scan at a high level using API's and a low level (raw Content) and then compare the difference.

Therefore items can be hidden to the API scan but exist in the raw scan that are not malicious at all so items show hidden for legitimate reasons.

Also temporary files that are present in one scan and not the other will show.

This will account for many of the hidden items (scan difference) seen when a rootkit is not present on a machine.

Please also remember that some of the more complex rootkits will have more complex techniques (anti-anti-rootkit) and will be aware of a raw data scan occuring and so will unhook and therefore avoid detection. But a rootkit will be there to do something in order to generate revenue for the author and there is always a tell so please contact support if you are unceratin of what any Anti-Rootkit scan shows.