Re: Windows Me "User Connected"
From: nemo outis (outis_at_erewhon.com)
Date: Thu, 24 Feb 2005 23:56:34 GMT
In article <firstname.lastname@example.org>, winged
>David H. Lipman wrote:
>> I was just made aware of a new utility by Sysinternals
>> "RootkitRevealer is a an advanced root kit detection utility. It runs on
> Windows NT4 and
>> higher and its output lists Registry and file system API discrepancies that
> may indicate the
>> presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully
> detects all
>> rootkits published at www.rootkit.com, including AFX, Vanquish and
>Thanks, I hadn't used this one before. It is in my toolbox now. I
>tested it on a known compromised virtual and the rootkit stood right
>out. It doesn't ID ADS (alternate Data stream)rootkits that I could see
>but it is a very useful tool, once I figured out what I was looking at.
Sysinternals also has a ADS tool (Streams v1.5.1) as do may
However, the best tool for actually manipulating (writing, etc.)
ADSs that I have found (although I haven't looked all that hard)
is called "ntfs streams info" at:
There are cracks out there for it (but they don't seem to work on
the latest version from the site - although they DO work for
earlier versions with the same release number: 2.1).