G
G. Morgan
David said:
Has the report gotten any easier to decipher for the layman? I tried it 2
years ago and had to email the author for his interpretation because frankly,
I didn't understand it.
Has the report gotten any easier to decipher for the layman? I tried it 2
years ago and had to email the author for his interpretation because frankly,
I didn't understand it.
D
Dustin Cook
(e-mail address removed) wrote in
Gmer should be run from the affected host. I don't know where your
getting your information from.
Gmer should be run from the affected host. I don't know where your
getting your information from.
1
1PW
David said:From: "1PW" <[email protected]>
| Hello Wolf & Dave:
| The most recent GMER (1.0.15.15011), when run on my (GRUB) dual-boot
| RHEL5/XP Pro SP3 x86 32bit system, fails to show any comments like
| "rootkit like behaviour".
| However, this might best be described as comparing apples to oranges
| and could be inconclusive without further and much closer like
| comparisons.
| HTH
| Pete
| --
| 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
Gmer has to run from within the possibly affected OS.
Hello Dave:
Yes. During my above test, I booted into XP Pro where the latest GMER
ran unvirtualized. I did /not/ run GMER under Red Hat Linux with
Wine. I apologize if I hadn't made all as clear as I should.
Hence, my GMER (running totally under XP) was able to /see/ my
probable Red Hat Enterprise Linux modified boot block, but reported
nothing suspicious.
Warm regards to all,
Pete
D
David H. Lipman
From: "G. Morgan" <[email protected]>
| Has the report gotten any easier to decipher for the layman? I tried it 2
| years ago and had to email the author for his interpretation because frankly,
| I didn't understand it.
Because of the low level nature of its functionality, there are always areas that may need
more expert interpretation. Most well known malware and hooks will however be identified.
| Has the report gotten any easier to decipher for the layman? I tried it 2
| years ago and had to email the author for his interpretation because frankly,
| I didn't understand it.
Because of the low level nature of its functionality, there are always areas that may need
more expert interpretation. Most well known malware and hooks will however be identified.
A
Aardvark
Please set your newsreader's (ha-ha) configuration to use a caret (>) to
mark the beginning of lines of quoted text. Because you are using the pipe
symbol (|) to do this, it makes it difficult to decipher who said what for
those of us who use proper newsreaders which colour code different depths
of quotes. In my newsreader what the most recent poster wrote is coded
black, what he has quoted of the previous post has lines beginning with a
caret and colour coded green, what he has quoted of the post before that
has lines beginning with two carets and coded orange and so on.
When I read a reply that you posted to someone, what you wrote is the same
is in black text. Because you used the pipe symbol to quote lines a proper
newsreader doesn't recognise that as quoted text and therefore it shows up
black, just like yours.
Half the time when I'm reading a posted reply from you, I'll read most of
what you are quoting before I realise there's a pipe symbol somewhere in a
line of text and that I'm reading the previous post again.
You'll notice that above, where I've quoted your post, my newsreader has
placed a caret symbol in front of every quoted line of text. The only way
for anyone to tell that some is what you wrote and that some possibly
isn't is the fact that some of the lines of text contain pipe symbols in
random places. At the beginning of lines of text I've quoted, if you wrote
it, they should begin with one caret, anything written by a previous
poster with two carets, three for quoted text from the poster before that
and so on.
Thanks in advance for your consideration.
D
David H. Lipman
From: "Aardvark" <[email protected]>
| Please set your newsreader's (ha-ha) configuration to use a caret (>) to
| mark the beginning of lines of quoted text. Because you are using the pipe
| symbol (|) to do this, it makes it difficult to decipher who said what for
| those of us who use proper newsreaders which colour code different depths
| of quotes. In my newsreader what the most recent poster wrote is coded
| black, what he has quoted of the previous post has lines beginning with a
| caret and colour coded green, what he has quoted of the post before that
| has lines beginning with two carets and coded orange and so on.
| When I read a reply that you posted to someone, what you wrote is the same
| is in black text. Because you used the pipe symbol to quote lines a proper
| newsreader doesn't recognise that as quoted text and therefore it shows up
| black, just like yours.
| Half the time when I'm reading a posted reply from you, I'll read most of
| what you are quoting before I realise there's a pipe symbol somewhere in a
| line of text and that I'm reading the previous post again.
| You'll notice that above, where I've quoted your post, my newsreader has
| placed a caret symbol in front of every quoted line of text. The only way
| for anyone to tell that some is what you wrote and that some possibly
| isn't is the fact that some of the lines of text contain pipe symbols in
| random places. At the beginning of lines of text I've quoted, if you wrote
| it, they should begin with one caret, anything written by a previous
| poster with two carets, three for quoted text from the poster before that
| and so on.
| Thanks in advance for your consideration.
| Please set your newsreader's (ha-ha) configuration to use a caret (>) to
| mark the beginning of lines of quoted text. Because you are using the pipe
| symbol (|) to do this, it makes it difficult to decipher who said what for
| those of us who use proper newsreaders which colour code different depths
| of quotes. In my newsreader what the most recent poster wrote is coded
| black, what he has quoted of the previous post has lines beginning with a
| caret and colour coded green, what he has quoted of the post before that
| has lines beginning with two carets and coded orange and so on.
| When I read a reply that you posted to someone, what you wrote is the same
| is in black text. Because you used the pipe symbol to quote lines a proper
| newsreader doesn't recognise that as quoted text and therefore it shows up
| black, just like yours.
| Half the time when I'm reading a posted reply from you, I'll read most of
| what you are quoting before I realise there's a pipe symbol somewhere in a
| line of text and that I'm reading the previous post again.
| You'll notice that above, where I've quoted your post, my newsreader has
| placed a caret symbol in front of every quoted line of text. The only way
| for anyone to tell that some is what you wrote and that some possibly
| isn't is the fact that some of the lines of text contain pipe symbols in
| random places. At the beginning of lines of text I've quoted, if you wrote
| it, they should begin with one caret, anything written by a previous
| poster with two carets, three for quoted text from the poster before that
| and so on.
| Thanks in advance for your consideration.
D
David H. Lipman
From: "Aardvark" <[email protected]>
| Please set your newsreader's (ha-ha) configuration to use a caret (>) to
| mark the beginning of lines of quoted text. Because you are using the pipe
| symbol (|) to do this, it makes it difficult to decipher who said what for
| those of us who use proper newsreaders which colour code different depths
| of quotes. In my newsreader what the most recent poster wrote is coded
| black, what he has quoted of the previous post has lines beginning with a
| caret and colour coded green, what he has quoted of the post before that
| has lines beginning with two carets and coded orange and so on.
| When I read a reply that you posted to someone, what you wrote is the same
| is in black text. Because you used the pipe symbol to quote lines a proper
| newsreader doesn't recognise that as quoted text and therefore it shows up
| black, just like yours.
| Half the time when I'm reading a posted reply from you, I'll read most of
| what you are quoting before I realise there's a pipe symbol somewhere in a
| line of text and that I'm reading the previous post again.
| You'll notice that above, where I've quoted your post, my newsreader has
| placed a caret symbol in front of every quoted line of text. The only way
| for anyone to tell that some is what you wrote and that some possibly
| isn't is the fact that some of the lines of text contain pipe symbols in
| random places. At the beginning of lines of text I've quoted, if you wrote
| it, they should begin with one caret, anything written by a previous
| poster with two carets, three for quoted text from the poster before that
| and so on.
| Thanks in advance for your consideration.
I will give it due consideration.
| Please set your newsreader's (ha-ha) configuration to use a caret (>) to
| mark the beginning of lines of quoted text. Because you are using the pipe
| symbol (|) to do this, it makes it difficult to decipher who said what for
| those of us who use proper newsreaders which colour code different depths
| of quotes. In my newsreader what the most recent poster wrote is coded
| black, what he has quoted of the previous post has lines beginning with a
| caret and colour coded green, what he has quoted of the post before that
| has lines beginning with two carets and coded orange and so on.
| When I read a reply that you posted to someone, what you wrote is the same
| is in black text. Because you used the pipe symbol to quote lines a proper
| newsreader doesn't recognise that as quoted text and therefore it shows up
| black, just like yours.
| Half the time when I'm reading a posted reply from you, I'll read most of
| what you are quoting before I realise there's a pipe symbol somewhere in a
| line of text and that I'm reading the previous post again.
| You'll notice that above, where I've quoted your post, my newsreader has
| placed a caret symbol in front of every quoted line of text. The only way
| for anyone to tell that some is what you wrote and that some possibly
| isn't is the fact that some of the lines of text contain pipe symbols in
| random places. At the beginning of lines of text I've quoted, if you wrote
| it, they should begin with one caret, anything written by a previous
| poster with two carets, three for quoted text from the poster before that
| and so on.
| Thanks in advance for your consideration.
I will give it due consideration.
A
Aardvark
It would seem that you didn't.
A
ASCII
Aardvark said:
I haven't used PAN in quite awhile, but in forte agent there is a
setting [Options] [Display Preferences] [Messages] in which you can list
any and all quoted text markers you chose. I have carets, pipes, and
colons as the standard included ones and sometimes when someone only
places a solitary smiley it shows as previously quoted text. Obvious and
easily corrected however.
D
David H. Lipman
From: "Aardvark" <[email protected]>
| It would seem that you didn't.
I wrote I would consider it. I ddi NOT write nor in any way indicate that I would make
the change ASAP.
Your reply has has thus lowered the consideration of the request in my queue.
| It would seem that you didn't.
I wrote I would consider it. I ddi NOT write nor in any way indicate that I would make
the change ASAP.
Your reply has has thus lowered the consideration of the request in my queue.
D
Dustin Cook
It was already circling the drain wasn't it?
D
David H. Lipman
From: "Dustin Cook" <[email protected]>
| It was already circling the drain wasn't it?
Right down the drain "Pan".
| It was already circling the drain wasn't it?
Right down the drain "Pan".
F
FromTheRafters
Dustin Cook said:It was already circling the drain wasn't it?
That "due consideration" took nanoseconds I'll bet.
D
P
Pennywise
Dustin Cook said:
Run a few
IceSword122en
catchme.exe
mbr.exe
szfstxxx.exe
RootkitRevealer.zip
rku
Rootkit_RKU_Results.txt
ossec-agent-win32-2.0_RootKitFinder.exe
gmer.exe
DarkSpy105.exe
DarkSpy105Help.chm
RootkitRevealer.exe
RootkitRevealer.chm
Eula.txt
New Text Document_second_Try.txt
RootkitReveal_Reviels.txt
sanitySetup.exe
And done my reading
"The best, and most reliable, method for operating system-level
rootkit detection is to shut down the computer suspected of infection,
and then to check its storage by booting from an alternative trusted
medium (e.g. a rescue CD-ROM or USB flash drive)[citation needed]. A
non-running rootkit cannot actively hide its presence, and most
established antivirus programs will identify rootkits armed via
standard OS calls (which are often tampered with by the rootkit) and
lower level queries, which ought to remain reliable. If there is a
difference, the presence of a rootkit infection should be assumed.
Running rootkits attempt to protect themselves by monitoring running
processes and suspending their activity until the scanning has
finished; this is more difficult if the rootkit is not allowed to
run.[citation needed]"
http://en.wikipedia.org/wiki/Rootkit
Citations needed, if you have a problem with the answer, edit it.
F
FromTheRafters
[...]
Wikipedia is good, but this describes everyday malware detection, not
rootkit activity.
P
Pennywise
FromTheRafters said:
Wikipedia is good, but this describes everyday malware detection, not
rootkit activity.[/QUOTE]
Dark Spy:
"4.run get script with boot CD -> Offline Analyze-> run set script
with boot CD:use this solution, you should have a boot CD. First
generate the boot scripts (e.g. if you select XX for the new file
name, and the script will be XX_get.cmd and XX_set.cmd). Then
successfully restart your computer, and run get script ( XX_get.cmd )
with the boot CD, at this time you will have two more files (XX,
XX.log), the non-log file ( XX )is the hive you want to deal with.
Edit and save, then restart the computer again and run set script (
XX_set.cmd )."
5.Offline Analyze:Analyze the saved hive file. usage: Click"Offline
Analyze",then select the hive to analyze (view and edit).
These are out of order, 5) is a part of the programs Functionalities
(sic), 4) is how to do it.
A
Aardvark
From: "Dustin Cook" <[email protected]>
| It was already circling the drain wasn't it?
Right down the drain "Pan".
Welcome to my bozo bin. If your words are too difficult to separate from
words of others that you quote in their posts, I'm not going to make the
effort. Life's too ****ing short.
D
David H. Lipman
From: "Aardvark" <[email protected]>
| Welcome to my bozo bin. If your words are too difficult to separate from
| words of others that you quote in their posts, I'm not going to make the
| effort. Life's too f**king short.
Thank you !
Obviously the world revolves around you.
You have a problem with Pan you want me to change the way I post when YOU can fix Pan or
use another NNTP client.
| Welcome to my bozo bin. If your words are too difficult to separate from
| words of others that you quote in their posts, I'm not going to make the
| effort. Life's too f**king short.
Thank you !
Obviously the world revolves around you.
You have a problem with Pan you want me to change the way I post when YOU can fix Pan or
use another NNTP client.
W
William Poaster
X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
Figures, an idiot that can't use his newsreader properly.
In MS Outlook Express you need to select the <Tools> drop-down menu, and
from that select <Options>. Click on the tab that says <Send> and make
sure that you have "Plain Text" selected under "Mail Sending Format".
Click on <Plain Text Settings...> and make sure the box to the left of
"Indent the original text with" is checked, and ">" is selected in the
box to the right. Click on <Apply> and then on <OK> and you are all set
Though he probably still won't bother.
<PLONK>
G
G. Morgan
William said:
<slap>
Lipman doesn't need to do anything.
Oh for crying out loud. If the recipeient wants the "color coding" feature of
his newsreader to work, then *he* has to configure it to work. Just because
the default settings don't fit his needs, does not mean others have to change
the way they post.