| View previous topic :: View next topic |
| Author |
Message |
spiritbeing
Cadet
Joined: Oct 13, 2006
Posts: 2
Location: USA
|
 Posted: Fri Oct 13, 2006 5:51 pm Post subject: Icesword, vsdatant |
|
|
I ran Icesword and I found no red items for processes and win32 but I found a few in SSDT. All pointed to C:\systemRoot\System32\vsdatant.sys. The original and current addresses are different and maybe that's to protect itself from viruses trying to turn it off.
I'm also running zone alarm and I understand that it uses this file so maybe there is nothing wrong with this. Would this be a false positive?
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Fri Oct 13, 2006 7:12 pm Post subject: |
|
|
Yes, a false positive, that is indeed ZA. Icesword reports on both good and bad rootkits, and ZA (like most firewalls) use rootkit techniques to link into the OS at a very low level in the kernel.
BTW, I'm moving this thread to the Rootkit Revelations Forum where it is more appropriate, and marking it done since there is nothing to fix.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
spiritbeing
Cadet
Joined: Oct 13, 2006
Posts: 2
Location: USA
|
| Posted: Fri Oct 13, 2006 8:10 pm Post subject: |
|
|
Thanks for the confirmation. From Icesword it looks like I can eliminate a rootkit as the possible cause. If the symptoms show up again I'll try other tools although Icesword is supposed to be one of the best if not the best.
I've tried NOD32, Spysweeper, adaware, defender, zone alarm and nothing showed up so I thought it might be a rootkit. I'll just keep my fingers crossed.
Thanks again.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
