FYI: Rootkit Detection Utility Components

[DelJo63]

ZD.exe, EGOQGPR.exe and LPELLB.exe are components of the Rootkit Detection utility.

they ALL will reside at %UserProfile%\Local Settings\Temp and must be installed via an Admin account.

bizarre name to be sure, but they are ligit

Jeff

Deckard's Scanner, HJT, et all need to be updated to reflect this information.

edit: Location corrected.
Source Sysinternals.com RookKit Revealer

 

[momok]

Where did you get this information from?
I'm concerned because they don't turn up anything in google or yahoo.

 

[DelJo63]

I installed the Package Rootkit Detection and ran it.

Later, I discovered three services by the names list. Going to the directory
and exploring the Properties of each, I determined that all three were from
that package.

 

[momok]

Hmm. Very interesting. Just curious, why did you use that btw, since there's Panda and AVG antirootkit recommended in our removal thread?

EDIT: It seems google now turns up this thread as the only hit for those files hehe

 

[DelJo63]

re Google; yes, I find that our threads are visible quite quickly.

Sysinternals is well respected too. I try multiple versions of security tools,
especially when they are free.

The motivation for the post was the bizarre names; I nearly paniced when I saw them! After my research,
I thought that they might be tagged as suspects in HJT et al log files and get errantly deleted.

My only concern would be the effort being made to keep this tool current.

 

[momok]

I see. Do they turn up in a HijackThis log? If possible, could you post a HijackThis log so I could see how it appears?

If it does appear in a HJT log, the best way to do ensure they get tagged as safe however, is actually to submit such files to popular search engines that HijackThis log analysts often refer to, such as
http://www.processlibrary.com/
http://www.bleepingcomputer.com/
http://www.liutilities.com/
http://www.castlecops.com/

By the way, great find, Jobeard! =)