Download freeware RKR scanning software (detect Sony rootkit & others)

Where can mere mortals download necessary WinXP RKR scanning software?

All over the airwaves is Mark Russinovich's Sysinternals admonition
"most users stumble across cloaked files with an RKR scan". I've never
run an RKR scan. I don't even know what an RKR scan is. But I, like all
of us, am interested in the results of an RKR scan on my Windows PC.

But, where do we obtain the RKR scanning freeware download?

Pamela

pamelafiischer@yahoo.com

wrote:

|>Where can mere mortals download necessary WinXP RKR scanning software?
|>
|>All over the airwaves is Mark Russinovich's Sysinternals admonition
|>"most users stumble across cloaked files with an RKR scan". I've never
|>run an RKR scan. I don't even know what an RKR scan is. But I, like all
|>of us, am interested in the results of an RKR scan on my Windows PC.
|>
|>But, where do we obtain the RKR scanning freeware download?
|>
|>Pamela

From Mark Russinovich himself
http://www.sysinternals.com/utilitie...trevealer.html

--
Napster, gets down and...
http://www.getthewholething.co.uk/

Trax

wrote:
> Where can mere mortals download necessary WinXP RKR scanning software?

I should have noted that even though I've never installed Sony CD
software (to my knowledge), when I created & then renamed a text file
to "$sys$myfile.txt", it immediately disappeared from view.

That in and of itself makes me suspect incipient malware other than
Sony audio CDs, which makes me now want to run the freeware rootkit
scanner everyone is alluding to even more urgently.

But where do we obtain this freeware RKR scanner for Windows XP?

Pamela

pamelafiischer@yahoo.com

wrote:

|> wrote:
|>> Where can mere mortals download necessary WinXP RKR scanning software?
|>
|>I should have noted that even though I've never installed Sony CD
|>software (to my knowledge), when I created & then renamed a text file
|>to "$sys$myfile.txt", it immediately disappeared from view.
|>
|>That in and of itself makes me suspect incipient malware other than
|>Sony audio CDs, which makes me now want to run the freeware rootkit
|>scanner everyone is alluding to even more urgently.

If your comfortable editing your system:
http://www.sysinternals.com/Blog/ scroll down to "Sony, Rootkits and
Digital Rights Management Gone Too Far" towards the end Mark explains
how he deleted it. And so can you with the info..

All files are located in the
Windows\system32\$sys$filesystem
you can't see the directory but you can enter it by accessing it
directly in a CMD window ie:
Windows\system32> CD $sys$filesystem


--
Napster, gets down and...
http://www.getthewholething.co.uk/

Trax

Trax wrote:
> All files are located in the
> Windows\system32\$sys$filesystem
> you can't see the directory but you can enter it by accessing it
> directly in a CMD window ie:
> Windows\system32> CD $sys$filesystem

Thanks Trax.
I just finished the RKTDU scan with the results shown below.
Does this look suspicious to you or is are these normal rocket
discrepancies?

Note that I removed the numbers for fear they may have contained
personal identification information (what are those 8-4-4-4-12
character numbers anyway?).

HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s0 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s1 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s2 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\g0 11/19/2005 3:06 AM 32
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\h0 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\number 3/21/2005 2:24 AM 0
bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\33084D91d01
11/19/2005 10:24 PM 16.84 KB Visible in directory index, but not
Windows API or MFT.
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\9ED97802d01
11/19/2005 10:24 PM 37.73 KB Visible in directory index, but not
Windows API or MFT.

pamelafiischer@yahoo.com

Trax wrote:
> http://www.sysinternals.com/utilitie...trevealer.html

Aha! So simple. So elegant. A RKTDU right under my nose!
http://www.sysinternals.com/utilitie...trevealer.html

I downloaded and executed this freeware Windows XP Sysinternals
RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
just now on an idle system and was much chagrined to find voluminous
reports of "Key name contains embedded nulls (*)", "Hidden from Windows
API", "Visible in directory index, but not WIndows API or MFT", etc.
discrepancies.

Is this normal to find so many of these rktdu registry discrepancies?

Pamela

pamelafiischer@yahoo.com

wrote:

|>Trax wrote:
|>> http://www.sysinternals.com/utilitie...trevealer.html
|>
|>Aha! So simple. So elegant. A RKTDU right under my nose!
|>http://www.sysinternals.com/utilitie...trevealer.html
|>
|>I downloaded and executed this freeware Windows XP Sysinternals
|>RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
|>just now on an idle system and was much chagrined to find voluminous
|>reports of "Key name contains embedded nulls (*)", "Hidden from Windows
|>API", "Visible in directory index, but not WIndows API or MFT", etc.
|>discrepancies.
|>
|>Is this normal to find so many of these rktdu registry discrepancies?

I don't know, so I ran it myself; I dual boot and it check'd both
system against a registry file I can only guess is from my operating
OS. Got a ton of bad listings

Bottom line is you did the acid test and it proved positive
($sys$myfile.txt), and you need to take action...

--
Napster, gets down and...
http://www.getthewholething.co.uk/

Trax

<> wrote in message
news: oups.com...

> C:\Documents and Settings\Administrator\Local Settings\Application
> Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\33084D91d01
> 11/19/2005 10:24 PM 16.84 KB Visible in directory index, but not
> Windows API or MFT.
> C:\Documents and Settings\Administrator\Local Settings\Application
> Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\9ED97802d01
> 11/19/2005 10:24 PM 37.73 KB Visible in directory index, but not
> Windows API or MFT.

All of the registry nulls look OK to me. I would focus first on hidden
files than on hidden registry values. The two hidden files above were the
only ones that might merit further investigation. I'm not positive these
two files are signs of anything important.

Note that there are supposedly root kits that can disable Rootkit Revealer
and make it fail to detect hidden files. For a second opinion, you might
also search for rkdetect in www.google.com and run that as well. I think
it's a little harder to run than just double-clicking on it, I think you
have to may run it at the command line. Using the same method to find and
run Hijack This! and post the logs to their web site may also be helpful.


> Note that I removed the numbers for fear they may have contained
> personal identification information (what are those 8-4-4-4-12
> character numbers anyway?).


Depending on where they are in the registry, those numbers generally
uniquely identify a program, user or other object. Here they are CLSID or
Class ID numbers, which Microsoft defines as:

http://www.microsoft.com/technet/pro...efclassid.mspx

A universally unique identifier (UUID) that identifies a COM component. Each
COM component has its CLSID in the Windows Registry so that it can be loaded
by other applications.

karl levinson, mvp

In C/++ programming:

A string is represented by a series of bytes, ended by a byte that has a
value of zero.

Lots of API's (what we use to use to program windows features) let you
specify a length - meaning you can 'embed' nulls - normally once you reach
the first null it is taken as 'end of the string'.

Because most programs will only display upto the first null, anything after
it will not be shown. Hence the problem.

- MR



<> wrote in message
news: ups.com...
> Trax wrote:
>> http://www.sysinternals.com/utilitie...trevealer.html
>
> Aha! So simple. So elegant. A RKTDU right under my nose!
> http://www.sysinternals.com/utilitie...trevealer.html
>
> I downloaded and executed this freeware Windows XP Sysinternals
> RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
> just now on an idle system and was much chagrined to find voluminous
> reports of "Key name contains embedded nulls (*)", "Hidden from Windows
> API", "Visible in directory index, but not WIndows API or MFT", etc.
> discrepancies.
>
> Is this normal to find so many of these rktdu registry discrepancies?
>
> Pamela
>

Mark Randall

karl levinson, mvp wrote:

>Note that there are supposedly root kits that can disable Rootkit Revealer
>and make it fail to detect hidden files. For a second opinion, you might
>also search for rkdetect in www.google.com and run that as well. I think
>it's a little harder to run than just double-clicking on it, I think you
>have to may run it at the command line. Using the same method to find and
>run Hijack This! and post the logs to their web site may also be helpful.

Rootkit Revealer implemented a defense mechanism against being
disabled by spawning a randomly named copy of itself and running it as
a service. This makes it very difficult for any other process to
identify and disable Rootkit Revealer, but it also creates a tell-tale
sign on any system that runs Rootkit Revealer -- the randomly named
program gets deleted, but the registry key for the service is left
over pointing to a now deleted file. CrapCleaner will find and delete
the "null" service, or you can manually edit the registry and delete
the key.

You can also use the MicroSoft method of identifying rootkits by
following their instructions at http://research.microsoft.com/rootkit/

Reproduced here in part:

Simple steps you can take to detect some of today's ghostware:

Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
infected OS and save the results.

Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
same drive, and save the results.

Run a clean version of WinDiff from the CD on the two sets of results
to detect file-hiding ghostware (i.e., invisible inside, but visible
from outside).
[You can get WinDiff here http://www.grigsoft.com/download-windiff.htm
]

See Hacker Defender ghostware files revealed (highlighted) for an
example. http://research.microsoft.com/rootki...dden_files.JPG

Note: there will be some false positives. Also, this does not detect
stealth software that hides in BIOS, Video card EEPROM, disk bad
sectors, Alternate Data Streams, etc.

Andy Walker