«

karl levinson, mvp wrote:
> The people in the various Hijack This! support forums may have more
> knowledge of whether this file is good or bad.
> http://www.spywareinfo.com/~merijn/forums.html

Thank you again Karl for your excellent advice.

There were so many forums I wasn't sure which to use; but I finally
posted the question about "Possible rootkit found: FGLRYUtil" to
http://forums.spywareinfo.com/index.php?showtopic=62088

I hope others know more about this than I do.

It seems these rootkits and cloaked keys are all over the place!
If only I knew about this before!

Pamela Fischer

<> wrote in message
news: ps.com...
> karl levinson, mvp wrote:
>> I didn't see the information I would expect to see in that output.
>> Netstat -ano only works on Windows XP. I suspect you're not running XP?
>> In that case, Fport or Vision does the same thing.
>
> Just to confirm - I am running Windows XP.

My mistake. netstat -ano only gives you the PID number of the listening
process bound to that TCP/IP port, and not the name. I never noticed this,
it is annoying. So I would recommend relying instead on fport / vision
which hand you the executable name.

<> wrote in message
news: ups.com...

> It seems these rootkits and cloaked keys are all over the place!
> If only I knew about this before!

It's good that you know now. Detecting malware is easier if you know what
baseline output is normal when you run these tools on your system when it's
clean. It may be a good idea to save this output so you can refer to it if
you ever have to run them again.

I doubt those registry values with nulls are anything malicious. Most root
kit detection methods involve inspecting key system resources in both user
mode and system mode and comparing the two for any differences. The issue
with the nulls is that when a null character is put into a registry value,
one of those two inspection methods considers the null the end of the value,
so the value returns different data in the two methods of inspection. I
would only consider this suspicious if it occurs in one of the various
registry locations that are used to launch executables or services at
startup. The registry values you found are sort of related to launching
executables, but don't look to me to be attempts at hiding anything. I'm
not 100% sure here, so a second opinion from the Hijack This forum is not a
bad idea.

One of the two areas where you found nulls is in ControlSet002:

http://support.microsoft.com/?kbid=100010

ControlSet001 may be the last control set you booted with, while
ControlSet002 could be what is known as the last known good control set, or
the control set that last successfully booted Windows NT.

I really don't know why nulls would be found in ControlSet002 and not in
CurrentControlSet, that is curious. Maybe you snipped out what was found in
CurrentControlSet as appearing redundant?

Howdy!

<> wrote in message
news: ups.com...
> Trax wrote:
> > http://www.sysinternals.com/utilitie...trevealer.html
>
> Aha! So simple. So elegant. A RKTDU right under my nose!
> http://www.sysinternals.com/utilitie...trevealer.html
>
> I downloaded and executed this freeware Windows XP Sysinternals
> RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
> just now on an idle system and was much chagrined to find voluminous
> reports of "Key name contains embedded nulls (*)", "Hidden from Windows
> API", "Visible in directory index, but not WIndows API or MFT", etc.
> discrepancies.
>
> Is this normal to find so many of these rktdu registry discrepancies?

Possibly. If, for instance, you run Norton/Symantec's SecureDelete,
it does the same type thing to hide the files. So it's perfectly possible
for a good program or utility to do "root kit" stuff.

RwP