Download freeware RKR scanning software (detect Sony rootkit & others)

Discussion in 'Computer Security' started by pamelafiischer@yahoo.com, Nov 20, 2005.

  1. Guest

    Where can mere mortals download necessary WinXP RKR scanning software?

    All over the airwaves is Mark Russinovich's Sysinternals admonition
    "most users stumble across cloaked files with an RKR scan". I've never
    run an RKR scan. I don't even know what an RKR scan is. But I, like all
    of us, am interested in the results of an RKR scan on my Windows PC.

    But, where do we obtain the RKR scanning freeware download?

    Pamela
     
    , Nov 20, 2005
    #1
    1. Advertising

  2. Trax Guest

    wrote:

    |>Where can mere mortals download necessary WinXP RKR scanning software?
    |>
    |>All over the airwaves is Mark Russinovich's Sysinternals admonition
    |>"most users stumble across cloaked files with an RKR scan". I've never
    |>run an RKR scan. I don't even know what an RKR scan is. But I, like all
    |>of us, am interested in the results of an RKR scan on my Windows PC.
    |>
    |>But, where do we obtain the RKR scanning freeware download?
    |>
    |>Pamela

    From Mark Russinovich himself :)
    http://www.sysinternals.com/utilities/rootkitrevealer.html

    --
    Napster, gets down and...
    http://www.getthewholething.co.uk/
     
    Trax, Nov 20, 2005
    #2
    1. Advertising

  3. Guest

    wrote:
    > Where can mere mortals download necessary WinXP RKR scanning software?


    I should have noted that even though I've never installed Sony CD
    software (to my knowledge), when I created & then renamed a text file
    to "$sys$myfile.txt", it immediately disappeared from view.

    That in and of itself makes me suspect incipient malware other than
    Sony audio CDs, which makes me now want to run the freeware rootkit
    scanner everyone is alluding to even more urgently.

    But where do we obtain this freeware RKR scanner for Windows XP?

    Pamela
     
    , Nov 20, 2005
    #3
  4. Trax Guest

    wrote:

    |> wrote:
    |>> Where can mere mortals download necessary WinXP RKR scanning software?
    |>
    |>I should have noted that even though I've never installed Sony CD
    |>software (to my knowledge), when I created & then renamed a text file
    |>to "$sys$myfile.txt", it immediately disappeared from view.
    |>
    |>That in and of itself makes me suspect incipient malware other than
    |>Sony audio CDs, which makes me now want to run the freeware rootkit
    |>scanner everyone is alluding to even more urgently.

    If your comfortable editing your system:
    http://www.sysinternals.com/Blog/ scroll down to "Sony, Rootkits and
    Digital Rights Management Gone Too Far" towards the end Mark explains
    how he deleted it. And so can you with the info..

    All files are located in the
    Windows\system32\$sys$filesystem
    you can't see the directory but you can enter it by accessing it
    directly in a CMD window ie:
    Windows\system32> CD $sys$filesystem


    --
    Napster, gets down and...
    http://www.getthewholething.co.uk/
     
    Trax, Nov 20, 2005
    #4
  5. Guest

    Trax wrote:
    > All files are located in the
    > Windows\system32\$sys$filesystem
    > you can't see the directory but you can enter it by accessing it
    > directly in a CMD window ie:
    > Windows\system32> CD $sys$filesystem


    Thanks Trax.
    I just finished the RKTDU scan with the results shown below.
    Does this look suspicious to you or is are these normal rocket
    discrepancies?

    Note that I removed the numbers for fear they may have contained
    personal identification information (what are those 8-4-4-4-12
    character numbers anyway?).

    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* 3/21/2005 4:23 PM
    0 bytes Key name contains embedded nulls (*)
    HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s0 11/19/2005 3:06 AM 4
    bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s1 11/19/2005 3:06 AM 4
    bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s2 11/19/2005 3:06 AM 4
    bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\g0 11/19/2005 3:06 AM 32
    bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\h0 11/19/2005 3:06 AM 4
    bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\number 3/21/2005 2:24 AM 0
    bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Application
    Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cache\33084D91d01
    11/19/2005 10:24 PM 16.84 KB Visible in directory index, but not
    Windows API or MFT.
    C:\Documents and Settings\Administrator\Local Settings\Application
    Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cache\9ED97802d01
    11/19/2005 10:24 PM 37.73 KB Visible in directory index, but not
    Windows API or MFT.
     
    , Nov 20, 2005
    #5
  6. Guest

    Trax wrote:
    > http://www.sysinternals.com/utilities/rootkitrevealer.html


    Aha! So simple. So elegant. A RKTDU right under my nose!
    http://www.sysinternals.com/utilities/rootkitrevealer.html

    I downloaded and executed this freeware Windows XP Sysinternals
    RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
    just now on an idle system and was much chagrined to find voluminous
    reports of "Key name contains embedded nulls (*)", "Hidden from Windows
    API", "Visible in directory index, but not WIndows API or MFT", etc.
    discrepancies.

    Is this normal to find so many of these rktdu registry discrepancies?

    Pamela
     
    , Nov 20, 2005
    #6
  7. Trax Guest

    wrote:

    |>Trax wrote:
    |>> http://www.sysinternals.com/utilities/rootkitrevealer.html
    |>
    |>Aha! So simple. So elegant. A RKTDU right under my nose!
    |>http://www.sysinternals.com/utilities/rootkitrevealer.html
    |>
    |>I downloaded and executed this freeware Windows XP Sysinternals
    |>RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
    |>just now on an idle system and was much chagrined to find voluminous
    |>reports of "Key name contains embedded nulls (*)", "Hidden from Windows
    |>API", "Visible in directory index, but not WIndows API or MFT", etc.
    |>discrepancies.
    |>
    |>Is this normal to find so many of these rktdu registry discrepancies?

    I don't know, so I ran it myself; I dual boot and it check'd both
    system against a registry file I can only guess is from my operating
    OS. Got a ton of bad listings :)

    Bottom line is you did the acid test and it proved positive
    ($sys$myfile.txt), and you need to take action...

    --
    Napster, gets down and...
    http://www.getthewholething.co.uk/
     
    Trax, Nov 20, 2005
    #7
  8. <> wrote in message
    news:...

    > C:\Documents and Settings\Administrator\Local Settings\Application
    > Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cache\33084D91d01
    > 11/19/2005 10:24 PM 16.84 KB Visible in directory index, but not
    > Windows API or MFT.
    > C:\Documents and Settings\Administrator\Local Settings\Application
    > Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cache\9ED97802d01
    > 11/19/2005 10:24 PM 37.73 KB Visible in directory index, but not
    > Windows API or MFT.


    All of the registry nulls look OK to me. I would focus first on hidden
    files than on hidden registry values. The two hidden files above were the
    only ones that might merit further investigation. I'm not positive these
    two files are signs of anything important.

    Note that there are supposedly root kits that can disable Rootkit Revealer
    and make it fail to detect hidden files. For a second opinion, you might
    also search for rkdetect in www.google.com and run that as well. I think
    it's a little harder to run than just double-clicking on it, I think you
    have to may run it at the command line. Using the same method to find and
    run Hijack This! and post the logs to their web site may also be helpful.


    > Note that I removed the numbers for fear they may have contained
    > personal identification information (what are those 8-4-4-4-12
    > character numbers anyway?).



    Depending on where they are in the registry, those numbers generally
    uniquely identify a program, user or other object. Here they are CLSID or
    Class ID numbers, which Microsoft defines as:

    http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclassid.mspx

    A universally unique identifier (UUID) that identifies a COM component. Each
    COM component has its CLSID in the Windows Registry so that it can be loaded
    by other applications.
     
    karl levinson, mvp, Nov 20, 2005
    #8
  9. Mark Randall Guest

    In C/++ programming:

    A string is represented by a series of bytes, ended by a byte that has a
    value of zero.

    Lots of API's (what we use to use to program windows features) let you
    specify a length - meaning you can 'embed' nulls - normally once you reach
    the first null it is taken as 'end of the string'.

    Because most programs will only display upto the first null, anything after
    it will not be shown. Hence the problem.

    - MR



    <> wrote in message
    news:...
    > Trax wrote:
    >> http://www.sysinternals.com/utilities/rootkitrevealer.html

    >
    > Aha! So simple. So elegant. A RKTDU right under my nose!
    > http://www.sysinternals.com/utilities/rootkitrevealer.html
    >
    > I downloaded and executed this freeware Windows XP Sysinternals
    > RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
    > just now on an idle system and was much chagrined to find voluminous
    > reports of "Key name contains embedded nulls (*)", "Hidden from Windows
    > API", "Visible in directory index, but not WIndows API or MFT", etc.
    > discrepancies.
    >
    > Is this normal to find so many of these rktdu registry discrepancies?
    >
    > Pamela
    >
     
    Mark Randall, Nov 20, 2005
    #9
  10. Andy Walker Guest

    karl levinson, mvp wrote:

    >Note that there are supposedly root kits that can disable Rootkit Revealer
    >and make it fail to detect hidden files. For a second opinion, you might
    >also search for rkdetect in www.google.com and run that as well. I think
    >it's a little harder to run than just double-clicking on it, I think you
    >have to may run it at the command line. Using the same method to find and
    >run Hijack This! and post the logs to their web site may also be helpful.


    Rootkit Revealer implemented a defense mechanism against being
    disabled by spawning a randomly named copy of itself and running it as
    a service. This makes it very difficult for any other process to
    identify and disable Rootkit Revealer, but it also creates a tell-tale
    sign on any system that runs Rootkit Revealer -- the randomly named
    program gets deleted, but the registry key for the service is left
    over pointing to a now deleted file. CrapCleaner will find and delete
    the "null" service, or you can manually edit the registry and delete
    the key.

    You can also use the MicroSoft method of identifying rootkits by
    following their instructions at http://research.microsoft.com/rootkit/

    Reproduced here in part:

    Simple steps you can take to detect some of today's ghostware:

    Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
    infected OS and save the results.

    Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
    same drive, and save the results.

    Run a clean version of WinDiff from the CD on the two sets of results
    to detect file-hiding ghostware (i.e., invisible inside, but visible
    from outside).
    [You can get WinDiff here http://www.grigsoft.com/download-windiff.htm
    ]

    See Hacker Defender ghostware files revealed (highlighted) for an
    example. http://research.microsoft.com/rootkit/HD_hidden_files.JPG

    Note: there will be some false positives. Also, this does not detect
    stealth software that hides in BIOS, Video card EEPROM, disk bad
    sectors, Alternate Data Streams, etc.
     
    Andy Walker, Nov 20, 2005
    #10
  11. Guest

    Andy Walker warned:
    > Rootkit Revealer implemented a defense mechanism against being
    > disabled by spawning a randomly named copy of itself and running it as
    > a service. This makes it very difficult for any other process to
    > identify and disable Rootkit Revealer, but it also creates a tell-tale
    > sign on any system that runs Rootkit Revealer -- the randomly named
    > program gets deleted, but the registry key for the service is left
    > over pointing to a now deleted file. CrapCleaner will find and delete
    > the "null" service, or you can manually edit the registry and delete
    > the key.


    Hi Andy Walker,

    Is this the left-over registry key you warned about?
    - Missing MUI Reference C:\proggies\util\RKD\sc.exe
    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

    1. Heeding your warning, I downloaded & installed "CrapCleaner
    v1.25.201" from:
    http://www.ccleaner.com (last updated on 9th November 2005).

    2. I looked for the left-over key you warned about after pressing
    "Analyze" in the "Cleaner" section to analyze "Windows" &
    "Applications" but did not see mention of RDKetect registry keys (I
    pressed "Run Cleaner" anyway so as to clean out the crap files on my
    system).

    3. Running the "Scan for Issues" section did find hint of RKDetect
    leftovers such as:
    - Missing MUI Reference C:\proggies\util\RKD\sc.exe
    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

    KEY QUESTION:
    Q: Is this the left-over registry key you warned us about?

    Also, a frustratingly nagging question:
    Q: How do I find out what program these darn 8-4-4-4-8 hex numbers
    belong to?
    - Uninstaller Reference Issue {B6F867E8-F092-4C5E-ACA0-F30547DC3874}
    HKLM\Software\Microsoft\Windows\CurrentVersion\App
    Management\ARPCache\{B6F867E8-F092-4C5E-ACA0-F30547DC3874}
     
    , Nov 20, 2005
    #11
  12. Guest

    karl levinson, mvp wrote:
    > For a second opinion, try RKDetect http://www.security.nnov.ru/soft/rkdetect


    Hi Karl,

    You provided useful information for all of us which I'm sure many
    others like I will follow. So I don't feel so badly about asking a bit
    deeper since the answer will help all the other mothers out there too
    follow verbatim in our footsteps.

    1. Logged in as "administrator", I downloaded the RK Detect
    second-opinion utility from:
    http://www.security.nnov.ru/files/rkdetect.zip

    2. As "administrator", I unzipped RKDetect into c:\proggies\util\RKD to
    see the 4 files:
    - readme.txt 09/08/2004 10:43 AM 1,636 bytes
    - rkdetect.vbs 09/08/2004 10:37 AM 2,336 bytes
    - sc.exe 03/25/2003 04:00 PM 47,104 bytes
    - wmisc.vbs 09/08/2004 09:24 AM 474 bytes

    3. I read the readme to learn:
    - RKDetect finds hidden services that are usually used to start
    rootkits.
    - RKDetect enumerates the services on a remote computer.
    - The result is then compared and any difference is displayed.
    - RKDetect uses "sc.exe" found in %WINDIR%\system32\sc.exe or locally

    4. Only one example command is in the readme:
    C:\hack\rkd>cscript rkdetect.vbs 200.4.4.4

    5. A quick http://www.dnsstuff.com Reverse DNS on that suggested IP
    address reports:
    200.4.4.4 PTR record: disp183.iie.org.mx. [TTL 86400s] [A=200.4.4.4]

    6. As Administrator, I run the example by pointing to the suggested
    server:
    Start -> Run -> cmd
    C:\> cd c:\proggies\util\RKD
    RKD:\> cscript rkdetect.vbs 200.4.4.4

    Up pops a Sygate Personal Firewall warning:
    Microsoft (r) Console Based Script Host (cscript.exe) is trying to send
    a packet.
    Do you want to allow this program to access the network?

    When I say "yes" to the firewall request, RKDetect proceeds to report:

    Microsoft (R) Windows Script Host Version 5.6
    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
    Query services by WMI...
    Detected 0 services
    Query services by SC...
    Detected 0 services
    Finding hidden services...
    Done
    Windows rootkits detector
    (c)oded by 2003
    (c) Sergey V. Gordeychik 2003

    An error occurred. Check machine availability and your access level
    (must be an
    administrator).

    Usage:
    cscript rkdetect.vbs <machine_name/ip>

    7. I am tantalizingly close to obtaining useful information but I
    failed.

    8. Do you know what I should do next to obtain an RKDetect report to
    completion?

    Frustrated,
    Pamela
     
    , Nov 20, 2005
    #12
  13. Jim Jong Guest

    Jim Jong, Nov 20, 2005
    #13
  14. Trax Guest

    Andy Walker <> wrote:

    |>You can also use the MicroSoft method of identifying rootkits by
    |>following their instructions at http://research.microsoft.com/rootkit/
    |>
    |>Reproduced here in part:
    |>
    |>Simple steps you can take to detect some of today's ghostware:
    |>
    |>Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
    |>infected OS and save the results.
    |>
    |>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
    |>same drive, and save the results.
    |>
    |>Run a clean version of WinDiff from the CD on the two sets of results
    |>to detect file-hiding ghostware (i.e., invisible inside, but visible
    |>from outside).
    |>[You can get WinDiff here http://www.grigsoft.com/download-windiff.htm

    That's a slick way to check a system, I did the deed and it found:
    F:\UnZip\RKtest\Edir_a_h.txt as being more recent - I'm clean.

    --
    Napster, gets down and...
    http://www.getthewholething.co.uk/
     
    Trax, Nov 20, 2005
    #14
  15. Guest

    Trax wrote:
    > |>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
    > |>same drive, and save the results.
    > I did the deed and it found:
    > F:\UnZip\RKtest\Edir_a_h.txt as being more recent - I'm clean.


    Hi Trax,

    I too attempt this intriguing method of finding hidden rootkits; but I
    am stuck at the point of obtaining a separate Windows XP clean bootable
    CDROM (as my pc came with the operating system on it and no Windows
    CD).

    I asked in a separate thread where best to obtain a simple clean
    Windows XP boot CDROM.

    One suggestion for your tests above, if I may, are to use:
    dir /s/ah/l/on/b c:\ > all_hidden_files_before.tdir /s/a-h/l/on/b c:\ >
    not_hidden_files_before.txt

    Instead of:
    dir /s /b /ah > all_hidden_files_before.txt
    dir /s /b /a-h > not_hidden_files_before.txt

    The additional lower-casing (l) and name-ordering (on) options should,
    I would guess, make the difference utility faster and more accurate (or
    is my logic off?).

    Still, my main question was answered which I repeat for the others who
    follow us:

    Q1: Where do mere mortals obtain root kit scanning procedures?
    A: Those of us who are not experts can still obtain rootkit detection
    procedures at
    a. Rootkit Revealer
    http://www.sysinternals.com/utilities/rootkitrevealer.html
    b. GhostBuster Rootkit Detector http://research.microsoft.com/rootkit
    c. RKdetect Rootkit Detecter
    http://www.security.nnov.ru/files/rkdetect.zip

    My remaining questions are off topic so I will post them separately:
    Q2 Where do mortals obtain the smallest reliable Windows XP bootable
    CDROM?
    Q3: Where do I find a lookup table for each of these 8-4-4-4-12 CLSID
    class ids?

    Note it's not at
    http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclassid.mspx
    or, if it is, I missed the lookup table explaining what each classid on
    my system is.

    Thank you all for your expert advice which will help other mere
    mortals,
    Pamela
     
    , Nov 20, 2005
    #15
  16. Guest

    Ouch. I forgot the most important on-topic question of all.
    Q1: What do we need to do to REALLY become administrator to run
    RKDetect?

    Logged in as "administrator", here is the error I got when I ran
    RKDetect.
    "An error occurred. Check machine availability and your access level
    (must be an administrator)."

    Huh? I am administrator. There are no other users.

    Is there a good way to check why RKDetect thinks I'm not an
    administrator?
    Is the rootkit spyware causing a hidden user to be administrator
    instead?
    Does this fail for anyone else who is also running as administator?
    Why me?

    Ok, so that's 5 questions!

    They are really all one frustrating related question in the quest to
    run the SysInternals RKDetect rootkit detecter freeware download.

    Q: Why is RKDetect telling me I need to run it as administrator when I
    am?

    Pamela
     
    , Nov 20, 2005
    #16
  17. nemo_outis Guest

    wrote in
    news::

    > Trax wrote:
    >> |>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on
    >> |>the same drive, and save the results.
    >> I did the deed and it found:
    >> F:\UnZip\RKtest\Edir_a_h.txt as being more recent - I'm clean.

    >
    > Hi Trax,
    >
    > I too attempt this intriguing method of finding hidden rootkits; but I
    > am stuck at the point of obtaining a separate Windows XP clean
    > bootable CDROM (as my pc came with the operating system on it and no
    > Windows CD).
    >
    > I asked in a separate thread where best to obtain a simple clean
    > Windows XP boot CDROM.




    Using Bart's PE is one choice. Apply nLite or xplite first to reduce
    Windows to smallest size. I've got some very small versions of Windows
    XP. Some start with the embedded version of windows rather than the
    consumer or corporate versions.

    If you're into small-footprint versions of Windows another good place to
    look that wouldn't leap to mind spontaneously is some of the car forums,
    such as:

    http://www.mp3car.com/vbulletin/forumdisplay.php?f=70


    ....

    > My remaining questions are off topic so I will post them separately:
    > Q2 Where do mortals obtain the smallest reliable Windows XP bootable
    > CDROM?



    OK, I hate to make my sources widely known, but just for you.... :)

    http://www.megaupload.com/?d=DTVWU3GV

    About a 150 MB download, fluffs up to about 170 MB. It's a stripped
    (with nlite) corporate version of WinXP & SP2 (with bootleg serial
    already installed and all sorts of other infringements :) but it does do
    the trick. Welcome to the dark side! (It can be updated in future using
    other nefarious tricks :)

    Regards,
     
    nemo_outis, Nov 21, 2005
    #17
  18. Guest

    nemo_outis wrote:
    > Using Bart's PE is one choice.
    > Apply nLite or xplite first to reduce Windows to a smaller size.
    > I've got some very small versions of Windows XP.
    > Some people start with the embedded version of windows
    > rather than the consumer or corporate versions.


    I'm not at all sure what an "embedded" version of Windows is.

    And, when you say to apply nLite or XPlite to reduce Windows, I really
    don't know what that means. For example, do I "apply nLite" to the i386
    directory (which I don't seem to have) or do I apply nLite on my
    working installed Windows XP for which all I have is a recovery CDROM,
    and not an original Windows XP bootable CDROM? I do appreciate the
    advice but please realize I am a mere mortal and not a Windows XP
    expert such as you guys are.

    Meanwhile, I've been downloading (it's at 76% so far after failing
    twice) for hours the 150 MB helpful link you kindly pointed me to on
    Megaupload.com. I have no intent on "stealing" Windows XP - all I want
    is a bootable Windows XP CD so I can located cloaked files as per
    instructions in method 3 below.

    ROOTKIT DETECTION METHOD 1 (RKR) failed me due to cryptic output:
    - http://www.sysinternals.com/utilities/rootkitrevealer.html

    ROOTKIT DETECTION METHOD 2 (RKD) failed due to unknown privilage
    issues:
    - http://www.security.nnov.ru/files/rkdetect.zip

    ROOTKIT DETECTION METHOD 3 (STRIDER) requires a boot WinXP CD/DVD:
    - http://research.microsoft.com/rootkit

    All I really want to do is determine if a rootkit is cloaking files &
    keys.
    I can't be the only person wanting to know what is cloaked on my
    system.
    Do others see the same set of problems I am running into (or is it just
    me)?

    Pamela
     
    , Nov 21, 2005
    #18
  19. nemo_outis Guest

    wrote in news:1132546005.159617.267900
    @g43g2000cwa.googlegroups.com:

    > nemo_outis wrote:
    >> Using Bart's PE is one choice.
    >> Apply nLite or xplite first to reduce Windows to a smaller size.
    >> I've got some very small versions of Windows XP.
    >> Some people start with the embedded version of windows
    >> rather than the consumer or corporate versions.

    >
    > I'm not at all sure what an "embedded" version of Windows is.


    Embedded Windows Xp is a variant of Windows designed to be small and
    efficient to be "shoehorned" in devices of limited capacities. It has
    very little by way of user interface and really can be stripped down.
    The appeal is that the kit is designed to allow one to add in or leave
    out functionality on a much finer level of granuarity than for mainstream
    versions of XP - it thus has considerable appeal to those hobbyists
    trying to make bootable versions of Windows for USB sticks, versions that
    will run in solid-state memory for a car, etc.


    > And, when you say to apply nLite or XPlite to reduce Windows, I really
    > don't know what that means. For example, do I "apply nLite" to the i386
    > directory (which I don't seem to have) or do I apply nLite on my
    > working installed Windows XP for which all I have is a recovery CDROM,
    > and not an original Windows XP bootable CDROM? I do appreciate the
    > advice but please realize I am a mere mortal and not a Windows XP
    > expert such as you guys are.



    Sorry, these things are really tools for tinkerers and geeks. If you
    just want to get something done and don't want to become expert enough to
    "roll your own" then you have to look for some "packaged" version already
    out there (usually cobbled together by one of the aforementioned geeks
    and hobbyists).


    > Meanwhile, I've been downloading (it's at 76% so far after failing
    > twice) for hours the 150 MB helpful link you kindly pointed me to on
    > Megaupload.com. I have no intent on "stealing" Windows XP - all I want
    > is a bootable Windows XP CD so I can located cloaked files as per
    > instructions in method 3 below.
    >
    > ROOTKIT DETECTION METHOD 1 (RKR) failed me due to cryptic output:
    > - http://www.sysinternals.com/utilities/rootkitrevealer.html
    >
    > ROOTKIT DETECTION METHOD 2 (RKD) failed due to unknown privilage
    > issues:
    > - http://www.security.nnov.ru/files/rkdetect.zip
    >
    > ROOTKIT DETECTION METHOD 3 (STRIDER) requires a boot WinXP CD/DVD:
    > - http://research.microsoft.com/rootkit
    >
    > All I really want to do is determine if a rootkit is cloaking files &
    > keys.
    > I can't be the only person wanting to know what is cloaked on my
    > system.
    > Do others see the same set of problems I am running into (or is it just
    > me)?


    Sorry, what I gave you is the bootable CD of an *installable* stripped
    Windows XP. You would still have to "blend" it with suitable utilities,
    etc. and make it into a self-bootable *executable* CD. That is
    surprisingly hard to do with Windows XP unless you pull some crafty
    tricks since the OS typically wants to *write back* to its boot medium
    (which is impossible with a CD, of course). Bart (of BartPE fame) has
    solved the problem but in terms of a "kit for geeks" not a "ready to
    use" CD. Others (Hiren, or Winternals, for instance) have assembled
    bootable CDs with many utilities, but I disremember whether they had much
    by way of root-kit uprooters in their collection of utilities.

    Regards,
     
    nemo_outis, Nov 21, 2005
    #19
  20. Guest

    nemo_outis kindly explained:
    > Embedded Windows Xp is a variant of Windows designed to be small and
    > efficient to be "shoehorned" in devices of limited capacities.
    > nLite or XPlite are tools for tinkerers and geeks.
    > You have to look for some "packaged" version already out there.
    > What I gave you is the bootable CD of an *installable* stripped Windows XP.
    > You would still have to "blend" it to make it into a self-bootable *executable* CD.
    > That is surprisingly hard to do with Windows XP
    > Bart (of BartPE fame) has solved the problem but in terms of a "kit for geeks"
    > Bart PE is not a "ready to use" WinXP bootable CD.


    Thank you nemo_outis for taking the time to explain this for a newbie
    such as I who is searching for the infamous Sony rootkit and other
    potential rootkits.

    You guys seem to know so very much inherently that I'm sure it's hard
    for you to deal with those of us, like I, who are needy, yet still
    trying to find out if we have the dastardly rootkits on our systems.

    If I can't boot off that downloaded 150 Mbyte WinXP rar file, should I
    attempt the "Ultimate Boot CD for Windows" http://www.ubcd4win.com
    approach that Nathan Dart suggested for making a bootable Windows XP
    cdrom sufficient for running a DOS dir command.

    Given that the only reason we need to boot to a separate operating
    system is to run DOS "dir dir /s/ah/l/on/b" commands, an alternative to
    the Microsoft suggested method of booting to a Windows XP cdrom might
    be to boot to a Linux CDROM & then running the closest Linux "ls -alsF"
    equivalent to the DOS "dir /s/ah/l/on/b" command.

    I think, this is essentially what Karl Levinson was suggesting when he
    provided the http://www.Bitdefender.com Linux boot CD URL.

    Do the experts on this list know of anyone successful in searching for
    rootkit cloaked files using any of these boot-to-something methods?

    Always learning; always confused; always humbled,
    Pamela
     
    , Nov 21, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Goro
    Replies:
    1
    Views:
    538
  2. Goro
    Replies:
    0
    Views:
    510
  3. Replies:
    43
    Views:
    1,248
    Ralph Wade Phillips
    Nov 24, 2005
  4. Pamela Fischer
    Replies:
    4
    Views:
    869
  5. Mizter T
    Replies:
    10
    Views:
    760
    ellis_jay
    Apr 8, 2006
Loading...

Share This Page