Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 25938 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to define root kit

gypsydan

The following root kit was found, and am unable to remove it or identify it. 

It does not show in a google search.

\HKEY_USERS\S-1-5-21-1957994488-1659004503-839522115-1005

\HKEY_USERS\S-1-5-21-1957994488-1659004503-839522115-1005_Classes

Any ideas as to what it is?

OS  - xp-sp3

sophos anti root kit  1.3.1

and before I'm asked, 1.5 does not work on my machine

Thanks

:35251


This thread was automatically locked due to age.
  • 0

    Hi Gypsydan,

    Rootkits themselves are files rather than registry keys, so it's likely that the tool is just showing hidden registry keys on the machine. V1.3 is quite old and wont be as reliable as the newer versions.

    If you want to be 100% certain I'd suggest running a SBAV scan on the machine. BE VERY CAREFUL when running a SBAV scan, I suggest using the 'detect only' mode so as not to accidently delete anything.

    http://www.sophos.com/en-us/support/knowledgebase/52053.aspx

    Andy

    :35309
  • 0

    Do you have a link to a later copy of anti root kit?

    I have 1.5.1 and it does not work on our machine.

    I talked with tech spt about 18 months ago and was not able to resove the issue.

    If there is a later version, maybe it will work.

    Thanks,

    :35311
  • 0

    Hello gypsydan,

    looks like the tool has been merged into SVRT (although you can still find the separate version - now 1.5.20 - linked from here). 

    The keys you posted belong to a user - Sysinternal's PsGetSid will show the display name of the account (if it still exists). It likely is not an indication of a rootkit.

    Christian

    :35339
  • 0

    Thank you.

    May I inquire as to how you were able to find out the name of that key?

    Is there a DB which has the name, or it it a source internal to Sophos?

    Again, Thank You.

    Dan

    :35349
  • 0

    Hello Dan,

    I'm not Sophos, just to avoid confusion.

    HKEY_USERS (HKU for short) is one of the registry root keys (please see this link for a short explanation). The presence of these keys suggests that another user was logged on at the time the scan ran. As the name is the user's SID (which is in principle unique unless this machine is a clone of another one) you won't find it elsewhere (including a search in the Internet).

    HTH

    Christian

    :35357
  • 0

    Your name, QC, Executive VP is confusing and misleading if you are going to use it on this forum. 

    Thank you for your help anyway.

    Dan

    :35363
  • 0

    Executive VP is confusing - perhaps so, Dan. It's not part of the name but the forum rank (one of the "higher" ones I think). :smileyhappy:

    Any more questions about the suspected root kit or is it clear now?

    Christian

    :35365
  • 0

    All clear.

    Thanks for your help.

    Dan

    :35383
  • 0

    Thank you for your reply.

    As a newbie coming onto the site, I was referring to other sites, where executives of the company would be on-line and state the level of their engagement with the company.  So, I thought he was an Executive VP with Sophos.  An obvious thing to believe, if your new to the site. 

    I appreciate the way everyone is so helpful and thoughtful on this forum.

    Keep up the good work.

    Dan

    :35573
  • 0

    Hi all,

    Perhaps you have all spotted this, but it doesn't get an explicit mention. QC is an "Executive VIP" as in Very Important Person, not an "Executive VP" as in Vice President. He doesn't work for Sophos. He got bumped from VIP to E/VIP when his posts count exceeded 2,000. I don't know what we'll do when he gets to 3,000 (not far off).

    Cheers,

    spike.

    :35631