«

Andy Walker warned:
> Rootkit Revealer implemented a defense mechanism against being
> disabled by spawning a randomly named copy of itself and running it as
> a service. This makes it very difficult for any other process to
> identify and disable Rootkit Revealer, but it also creates a tell-tale
> sign on any system that runs Rootkit Revealer -- the randomly named
> program gets deleted, but the registry key for the service is left
> over pointing to a now deleted file. CrapCleaner will find and delete
> the "null" service, or you can manually edit the registry and delete
> the key.

Hi Andy Walker,

Is this the left-over registry key you warned about?
- Missing MUI Reference C:\proggies\util\RKD\sc.exe
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he

1. Heeding your warning, I downloaded & installed "CrapCleaner
v1.25.201" from:
http://www.ccleaner.com (last updated on 9th November 2005).

2. I looked for the left-over key you warned about after pressing
"Analyze" in the "Cleaner" section to analyze "Windows" &
"Applications" but did not see mention of RDKetect registry keys (I
pressed "Run Cleaner" anyway so as to clean out the crap files on my
system).

3. Running the "Scan for Issues" section did find hint of RKDetect
leftovers such as:
- Missing MUI Reference C:\proggies\util\RKD\sc.exe
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICac he

KEY QUESTION:
Q: Is this the left-over registry key you warned us about?

Also, a frustratingly nagging question:
Q: How do I find out what program these darn 8-4-4-4-8 hex numbers
belong to?
- Uninstaller Reference Issue {B6F867E8-F092-4C5E-ACA0-F30547DC3874}
HKLM\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\{B6F867E8-F092-4C5E-ACA0-F30547DC3874}

karl levinson, mvp wrote:
> For a second opinion, try RKDetect http://www.security.nnov.ru/soft/rkdetect

Hi Karl,

You provided useful information for all of us which I'm sure many
others like I will follow. So I don't feel so badly about asking a bit
deeper since the answer will help all the other mothers out there too
follow verbatim in our footsteps.

1. Logged in as "administrator", I downloaded the RK Detect
second-opinion utility from:
http://www.security.nnov.ru/files/rkdetect.zip

2. As "administrator", I unzipped RKDetect into c:\proggies\util\RKD to
see the 4 files:
- readme.txt 09/08/2004 10:43 AM 1,636 bytes
- rkdetect.vbs 09/08/2004 10:37 AM 2,336 bytes
- sc.exe 03/25/2003 04:00 PM 47,104 bytes
- wmisc.vbs 09/08/2004 09:24 AM 474 bytes

3. I read the readme to learn:
- RKDetect finds hidden services that are usually used to start
rootkits.
- RKDetect enumerates the services on a remote computer.
- The result is then compared and any difference is displayed.
- RKDetect uses "sc.exe" found in %WINDIR%\system32\sc.exe or locally

4. Only one example command is in the readme:
C:\hack\rkd>cscript rkdetect.vbs 200.4.4.4

5. A quick http://www.dnsstuff.com Reverse DNS on that suggested IP
address reports:
200.4.4.4 PTR record: disp183.iie.org.mx. [TTL 86400s] [A=200.4.4.4]

6. As Administrator, I run the example by pointing to the suggested
server:
Start -> Run -> cmd
C:\> cd c:\proggies\util\RKD
RKD:\> cscript rkdetect.vbs 200.4.4.4

Up pops a Sygate Personal Firewall warning:
Microsoft (r) Console Based Script Host (cscript.exe) is trying to send
a packet.
Do you want to allow this program to access the network?

When I say "yes" to the firewall request, RKDetect proceeds to report:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Query services by WMI...
Detected 0 services
Query services by SC...
Detected 0 services
Finding hidden services...
Done
Windows rootkits detector
(c)oded by 2003
(c) Sergey V. Gordeychik 2003

An error occurred. Check machine availability and your access level
(must be an
administrator).

Usage:
cscript rkdetect.vbs <machine_name/ip>

7. I am tantalizingly close to obtaining useful information but I
failed.

8. Do you know what I should do next to obtain an RKDetect report to
completion?

Frustrated,
Pamela

On 19 Nov 2005 22:03:08 -0800, wrote:
> Where can mere mortals download necessary WinXP RKR scanning software?

SysInternals RootKitRevealer
http://www.sysinternals.com/utilitie...trevealer.html

Microsoft Strider GhostBuster Rootkit Detection
http://research.microsoft.com/rootkit

NNOV RKDetect
http://www.security.nnov.ru/files/rkdetect.zip

All are too complicated to run by yourself but with help they can be run.

Andy Walker <> wrote:

|>You can also use the MicroSoft method of identifying rootkits by
|>following their instructions at http://research.microsoft.com/rootkit/
|>
|>Reproduced here in part:
|>
|>Simple steps you can take to detect some of today's ghostware:
|>
|>Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
|>infected OS and save the results.
|>
|>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
|>same drive, and save the results.
|>
|>Run a clean version of WinDiff from the CD on the two sets of results
|>to detect file-hiding ghostware (i.e., invisible inside, but visible
|>from outside).
|>[You can get WinDiff here http://www.grigsoft.com/download-windiff.htm

That's a slick way to check a system, I did the deed and it found:
F:\UnZip\RKtest\Edir_a_h.txt as being more recent - I'm clean.

--
Napster, gets down and...
http://www.getthewholething.co.uk/

Trax wrote:
> |>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
> |>same drive, and save the results.
> I did the deed and it found:
> F:\UnZip\RKtest\Edir_a_h.txt as being more recent - I'm clean.

Hi Trax,

I too attempt this intriguing method of finding hidden rootkits; but I
am stuck at the point of obtaining a separate Windows XP clean bootable
CDROM (as my pc came with the operating system on it and no Windows
CD).

I asked in a separate thread where best to obtain a simple clean
Windows XP boot CDROM.

One suggestion for your tests above, if I may, are to use:
dir /s/ah/l/on/b c:\ > all_hidden_files_before.tdir /s/a-h/l/on/b c:\ >
not_hidden_files_before.txt

Instead of:
dir /s /b /ah > all_hidden_files_before.txt
dir /s /b /a-h > not_hidden_files_before.txt

The additional lower-casing (l) and name-ordering (on) options should,
I would guess, make the difference utility faster and more accurate (or
is my logic off?).

Still, my main question was answered which I repeat for the others who
follow us:

Q1: Where do mere mortals obtain root kit scanning procedures?
A: Those of us who are not experts can still obtain rootkit detection
procedures at
a. Rootkit Revealer
http://www.sysinternals.com/utilitie...trevealer.html
b. GhostBuster Rootkit Detector http://research.microsoft.com/rootkit
c. RKdetect Rootkit Detecter
http://www.security.nnov.ru/files/rkdetect.zip

My remaining questions are off topic so I will post them separately:
Q2 Where do mortals obtain the smallest reliable Windows XP bootable
CDROM?
Q3: Where do I find a lookup table for each of these 8-4-4-4-12 CLSID
class ids?

Note it's not at
http://www.microsoft.com/technet/pro...efclassid.mspx
or, if it is, I missed the lookup table explaining what each classid on
my system is.

Thank you all for your expert advice which will help other mere
mortals,
Pamela

Ouch. I forgot the most important on-topic question of all.
Q1: What do we need to do to REALLY become administrator to run
RKDetect?

Logged in as "administrator", here is the error I got when I ran
RKDetect.
"An error occurred. Check machine availability and your access level
(must be an administrator)."

Huh? I am administrator. There are no other users.

Is there a good way to check why RKDetect thinks I'm not an
administrator?
Is the rootkit spyware causing a hidden user to be administrator
instead?
Does this fail for anyone else who is also running as administator?
Why me?

Ok, so that's 5 questions!

They are really all one frustrating related question in the quest to
run the SysInternals RKDetect rootkit detecter freeware download.

Q: Why is RKDetect telling me I need to run it as administrator when I
am?

Pamela

wrote in
news: oups.com:

> Trax wrote:
>> |>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on
>> |>the same drive, and save the results.
>> I did the deed and it found:
>> F:\UnZip\RKtest\Edir_a_h.txt as being more recent - I'm clean.
>
> Hi Trax,
>
> I too attempt this intriguing method of finding hidden rootkits; but I
> am stuck at the point of obtaining a separate Windows XP clean
> bootable CDROM (as my pc came with the operating system on it and no
> Windows CD).
>
> I asked in a separate thread where best to obtain a simple clean
> Windows XP boot CDROM.



Using Bart's PE is one choice. Apply nLite or xplite first to reduce
Windows to smallest size. I've got some very small versions of Windows
XP. Some start with the embedded version of windows rather than the
consumer or corporate versions.

If you're into small-footprint versions of Windows another good place to
look that wouldn't leap to mind spontaneously is some of the car forums,
such as:

http://www.mp3car.com/vbulletin/forumdisplay.php?f=70


....

> My remaining questions are off topic so I will post them separately:
> Q2 Where do mortals obtain the smallest reliable Windows XP bootable
> CDROM?


OK, I hate to make my sources widely known, but just for you....

http://www.megaupload.com/?d=DTVWU3GV

About a 150 MB download, fluffs up to about 170 MB. It's a stripped
(with nlite) corporate version of WinXP & SP2 (with bootleg serial
already installed and all sorts of other infringements but it does do
the trick. Welcome to the dark side! (It can be updated in future using
other nefarious tricks

Regards,

nemo_outis wrote:
> Using Bart's PE is one choice.
> Apply nLite or xplite first to reduce Windows to a smaller size.
> I've got some very small versions of Windows XP.
> Some people start with the embedded version of windows
> rather than the consumer or corporate versions.

I'm not at all sure what an "embedded" version of Windows is.

And, when you say to apply nLite or XPlite to reduce Windows, I really
don't know what that means. For example, do I "apply nLite" to the i386
directory (which I don't seem to have) or do I apply nLite on my
working installed Windows XP for which all I have is a recovery CDROM,
and not an original Windows XP bootable CDROM? I do appreciate the
advice but please realize I am a mere mortal and not a Windows XP
expert such as you guys are.

Meanwhile, I've been downloading (it's at 76% so far after failing
twice) for hours the 150 MB helpful link you kindly pointed me to on
Megaupload.com. I have no intent on "stealing" Windows XP - all I want
is a bootable Windows XP CD so I can located cloaked files as per
instructions in method 3 below.

ROOTKIT DETECTION METHOD 1 (RKR) failed me due to cryptic output:
- http://www.sysinternals.com/utilitie...trevealer.html

ROOTKIT DETECTION METHOD 2 (RKD) failed due to unknown privilage
issues:
- http://www.security.nnov.ru/files/rkdetect.zip

ROOTKIT DETECTION METHOD 3 (STRIDER) requires a boot WinXP CD/DVD:
- http://research.microsoft.com/rootkit

All I really want to do is determine if a rootkit is cloaking files &
keys.
I can't be the only person wanting to know what is cloaked on my
system.
Do others see the same set of problems I am running into (or is it just
me)?

Pamela

wrote in news:1132546005.159617.267900
@g43g2000cwa.googlegroups.com:

> nemo_outis wrote:
>> Using Bart's PE is one choice.
>> Apply nLite or xplite first to reduce Windows to a smaller size.
>> I've got some very small versions of Windows XP.
>> Some people start with the embedded version of windows
>> rather than the consumer or corporate versions.
>
> I'm not at all sure what an "embedded" version of Windows is.

Embedded Windows Xp is a variant of Windows designed to be small and
efficient to be "shoehorned" in devices of limited capacities. It has
very little by way of user interface and really can be stripped down.
The appeal is that the kit is designed to allow one to add in or leave
out functionality on a much finer level of granuarity than for mainstream
versions of XP - it thus has considerable appeal to those hobbyists
trying to make bootable versions of Windows for USB sticks, versions that
will run in solid-state memory for a car, etc.


> And, when you say to apply nLite or XPlite to reduce Windows, I really
> don't know what that means. For example, do I "apply nLite" to the i386
> directory (which I don't seem to have) or do I apply nLite on my
> working installed Windows XP for which all I have is a recovery CDROM,
> and not an original Windows XP bootable CDROM? I do appreciate the
> advice but please realize I am a mere mortal and not a Windows XP
> expert such as you guys are.


Sorry, these things are really tools for tinkerers and geeks. If you
just want to get something done and don't want to become expert enough to
"roll your own" then you have to look for some "packaged" version already
out there (usually cobbled together by one of the aforementioned geeks
and hobbyists).


> Meanwhile, I've been downloading (it's at 76% so far after failing
> twice) for hours the 150 MB helpful link you kindly pointed me to on
> Megaupload.com. I have no intent on "stealing" Windows XP - all I want
> is a bootable Windows XP CD so I can located cloaked files as per
> instructions in method 3 below.
>
> ROOTKIT DETECTION METHOD 1 (RKR) failed me due to cryptic output:
> - http://www.sysinternals.com/utilitie...trevealer.html
>
> ROOTKIT DETECTION METHOD 2 (RKD) failed due to unknown privilage
> issues:
> - http://www.security.nnov.ru/files/rkdetect.zip
>
> ROOTKIT DETECTION METHOD 3 (STRIDER) requires a boot WinXP CD/DVD:
> - http://research.microsoft.com/rootkit
>
> All I really want to do is determine if a rootkit is cloaking files &
> keys.
> I can't be the only person wanting to know what is cloaked on my
> system.
> Do others see the same set of problems I am running into (or is it just
> me)?

Sorry, what I gave you is the bootable CD of an *installable* stripped
Windows XP. You would still have to "blend" it with suitable utilities,
etc. and make it into a self-bootable *executable* CD. That is
surprisingly hard to do with Windows XP unless you pull some crafty
tricks since the OS typically wants to *write back* to its boot medium
(which is impossible with a CD, of course). Bart (of BartPE fame) has
solved the problem but in terms of a "kit for geeks" not a "ready to
use" CD. Others (Hiren, or Winternals, for instance) have assembled
bootable CDs with many utilities, but I disremember whether they had much
by way of root-kit uprooters in their collection of utilities.

Regards,

nemo_outis kindly explained:
> Embedded Windows Xp is a variant of Windows designed to be small and
> efficient to be "shoehorned" in devices of limited capacities.
> nLite or XPlite are tools for tinkerers and geeks.
> You have to look for some "packaged" version already out there.
> What I gave you is the bootable CD of an *installable* stripped Windows XP.
> You would still have to "blend" it to make it into a self-bootable *executable* CD.
> That is surprisingly hard to do with Windows XP
> Bart (of BartPE fame) has solved the problem but in terms of a "kit for geeks"
> Bart PE is not a "ready to use" WinXP bootable CD.

Thank you nemo_outis for taking the time to explain this for a newbie
such as I who is searching for the infamous Sony rootkit and other
potential rootkits.

You guys seem to know so very much inherently that I'm sure it's hard
for you to deal with those of us, like I, who are needy, yet still
trying to find out if we have the dastardly rootkits on our systems.

If I can't boot off that downloaded 150 Mbyte WinXP rar file, should I
attempt the "Ultimate Boot CD for Windows" http://www.ubcd4win.com
approach that Nathan Dart suggested for making a bootable Windows XP
cdrom sufficient for running a DOS dir command.

Given that the only reason we need to boot to a separate operating
system is to run DOS "dir dir /s/ah/l/on/b" commands, an alternative to
the Microsoft suggested method of booting to a Windows XP cdrom might
be to boot to a Linux CDROM & then running the closest Linux "ls -alsF"
equivalent to the DOS "dir /s/ah/l/on/b" command.

I think, this is essentially what Karl Levinson was suggesting when he
provided the http://www.Bitdefender.com Linux boot CD URL.

Do the experts on this list know of anyone successful in searching for
rootkit cloaked files using any of these boot-to-something methods?

Always learning; always confused; always humbled,
Pamela