I will forward the Rustock(Lzx32.sys) file extracted from ADS generated by this test to you for your inspection My assumption previously(whether or not in error which it might have been )is that there is no reference to PE386 service entries or Lzx32.sys in the tool reports = failure to detect Rustock B by the tested tool. ** Attached is report log produced by Unhackme during this test run.ħ)Last "check me now" scan after bootime sequence = All clear,no trojan present *warning dialogue box moved so behind report box is visible.Ī quick check of all invisible/deleted keys show all detections has *RKU* listed in them Thank you for returning your findings,I reran my test model for the following sample that was sent to you inorder to recheck i was not mistaken or in error etcĢ)Enabled resident scan & Boottime scan and then rebooted.ģ)Nothing detected at bootime or check me now scanĤ)Executed Winsys32.exe No alert from resident scan or check me now.ĥ)Executed Rootkit Unhooker(My resident ARK/ADS tool) to confirm Lzx32.sys had loaded into ADS,inline hook was dropped and hidden driver visible.Ħ)Reboot for boottime check= Unhackme warning box Now I'm going to play some melodies on my guitar and going to sleep some hours. It can work as the device driver and it can decline the loading of the specified boot drivers. I can use the boot CD to do it but I think I have a good solution using regrunrm.sys driver. The lzx32.sys driver hooked the registry/files and doesn't allow the Partizan to delete it. The same thing I can see using RegRun Trojan Analyzer (included to the Platinum): It's correctly identified the real driver PE386. I can see teh contents of the driver in the Windows using the sample command: I thiunk they are used to confuse a user. UnHackMe detects (using Partizan) a lot of rootkits keys.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |