Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Download freeware RKR scanning software (detect Sony rootkit & others)

Reply
Thread Tools

Download freeware RKR scanning software (detect Sony rootkit & others)

 
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-23-2005
karl levinson, mvp wrote:
> The people in the various Hijack This! support forums may have more
> knowledge of whether this file is good or bad.
> http://www.spywareinfo.com/~merijn/forums.html


Thank you again Karl for your excellent advice.

There were so many forums I wasn't sure which to use; but I finally
posted the question about "Possible rootkit found: FGLRYUtil" to
http://forums.spywareinfo.com/index.php?showtopic=62088

I hope others know more about this than I do.

It seems these rootkits and cloaked keys are all over the place!
If only I knew about this before!

Pamela Fischer

 
Reply With Quote
 
 
 
 
karl levinson, mvp
Guest
Posts: n/a
 
      11-23-2005

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> karl levinson, mvp wrote:
>> I didn't see the information I would expect to see in that output.
>> Netstat -ano only works on Windows XP. I suspect you're not running XP?
>> In that case, Fport or Vision does the same thing.

>
> Just to confirm - I am running Windows XP.


My mistake. netstat -ano only gives you the PID number of the listening
process bound to that TCP/IP port, and not the name. I never noticed this,
it is annoying. So I would recommend relying instead on fport / vision
which hand you the executable name.


 
Reply With Quote
 
 
 
 
karl levinson, mvp
Guest
Posts: n/a
 
      11-23-2005

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...

> It seems these rootkits and cloaked keys are all over the place!
> If only I knew about this before!


It's good that you know now. Detecting malware is easier if you know what
baseline output is normal when you run these tools on your system when it's
clean. It may be a good idea to save this output so you can refer to it if
you ever have to run them again.

I doubt those registry values with nulls are anything malicious. Most root
kit detection methods involve inspecting key system resources in both user
mode and system mode and comparing the two for any differences. The issue
with the nulls is that when a null character is put into a registry value,
one of those two inspection methods considers the null the end of the value,
so the value returns different data in the two methods of inspection. I
would only consider this suspicious if it occurs in one of the various
registry locations that are used to launch executables or services at
startup. The registry values you found are sort of related to launching
executables, but don't look to me to be attempts at hiding anything. I'm
not 100% sure here, so a second opinion from the Hijack This forum is not a
bad idea.

One of the two areas where you found nulls is in ControlSet002:

http://support.microsoft.com/?kbid=100010

ControlSet001 may be the last control set you booted with, while
ControlSet002 could be what is known as the last known good control set, or
the control set that last successfully booted Windows NT.

I really don't know why nulls would be found in ControlSet002 and not in
CurrentControlSet, that is curious. Maybe you snipped out what was found in
CurrentControlSet as appearing redundant?




 
Reply With Quote
 
Ralph Wade Phillips
Guest
Posts: n/a
 
      11-24-2005
Howdy!

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Trax wrote:
> > http://www.sysinternals.com/utilitie...trevealer.html

>
> Aha! So simple. So elegant. A RKTDU right under my nose!
> http://www.sysinternals.com/utilitie...trevealer.html
>
> I downloaded and executed this freeware Windows XP Sysinternals
> RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
> just now on an idle system and was much chagrined to find voluminous
> reports of "Key name contains embedded nulls (*)", "Hidden from Windows
> API", "Visible in directory index, but not WIndows API or MFT", etc.
> discrepancies.
>
> Is this normal to find so many of these rktdu registry discrepancies?


Possibly. If, for instance, you run Norton/Symantec's SecureDelete,
it does the same type thing to hide the files. So it's perfectly possible
for a good program or utility to do "root kit" stuff.

RwP


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Antivirus choice: F-Secure's rootkit scanning vs Trend Micro Mizter T Computer Support 10 04-08-2006 05:13 PM
Download freeware RKR scanning software (detect Sony rootkit & others) pamelafiischer@yahoo.com Computer Security 43 11-24-2005 12:20 AM
Microsoft Strider GhostBuster Rootkit Detection Software Download Pamela Fischer Computer Support 4 11-21-2005 02:21 PM
Sony EVIL DRM Rootkit/malware timeline Goro DVD Video 0 11-15-2005 04:47 PM
Sony CD Rootkit as a hack for itself... Goro DVD Video 1 11-09-2005 10:53 PM



Advertisments