Rootkit Detector V0.62 for windows 2K/XP/2k3

Okay, I can get this thing to run - but I can't get it to stay open long enough to read the results when it's done.

I've tried using
cmd rkdetector.exe from "Run" (not a valid Win32 app, supposedly) and I've tried just running it from the program folder (that's when it runs and then disappears).

It's got this "tcp.dll" in the unpacked folder which really seems like it ought to be somewhere other than there. Everytime I try to get that dll to register, I get the error message shown in the screenshot.

What am I doing wrong here? Pete

 

If someone could clue me in to the correct command to use on this program to get it to run and remain open afterwards, it would be much appreciated. Pete

 

You just need to open DOS shell (from within windows) and then run the program. In such case the window won't close.

 

LOL, don't people know how to use dos these days?

 

<g> Apparently not. I thought I had already tried that, but I'll go back and try it again.

 

I'll be darned if it didn't run straight from the cmd prompt this time! (I thought it was supposed to, but it sure didn't happen the first time around!).
Anyway, does this all look good?


. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright (c) 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 266 services )
-Gathering process List Information... ( Found: 42 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\program files\cleancache 2.0\cleancache.exe
c:\program files\spyblocker software\spyblocker.exe
c:\windows\explorer.exe
c:\program files\spywareguard\sgbhp.exe
c:\program files\mru-blaster\scheduler.exe
c:\windows\system32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\program files\acesoft\tracks eraser pro\te.exe
c:\windows\system32\svchost.exe
c:\program files\processguard\procguard.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\apc\apc powerchute personal edition\apcsystray.exe
c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
c:\windows\system32\spoolsv.exe
c:\program files\compaq\easy access button support\starteak.exe
c:\program files\eset\nod32kui.exe
c:\program files\cookiemuncher\cookiem.exe
c:\windows\system32\alg.exe
c:\program files\apc\apc powerchute personal edition\mainserv.exe
c:\program files\processguard\dcsuserprot.exe
c:\program files\eset\nod32krn.exe
c:\program files\spybot - search & destroy\teatimer.exe
c:\windows\system32\locator.exe
c:\program files\mailwasher\mailwasher.exe
c:\windows\system32\svchost.exe
c:\program files\java\j2re1.5.0\bin\jusched.exe
c:\windows\system32\ups.exe
c:\program files\spywareguard\sgmain.exe
c:\compaq\eakdrv\eausbkbd.exe
c:\progra~1\compaq\easyac~1\bttnserv.exe
c:\program files\bhodemon 2.0\bhodemon.exe
c:\windows\system32\cmd.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\compaq\easy access button support\cpqeadm.exe
c:\compaq\cpqinet\cpqinet.exe
c:\program files\the cleaner\tca.exe
c:\windows\system32\rkdetector.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 4 wrong Services )
-------------------------------------------------------------------------------
*SV: EACMOS (EACMOS) PATH: c:\windows\system32\drivers\eacmos.sys
-------------------------------------------------------------------------------
*SV: EAWDMFD (EAWDMFD) PATH: c:\windows\system32\drivers\eawdmfd.sys
-------------------------------------------------------------------------------
*SV: procguard (procguard) PATH: c:\windows\system32\drivers\procguard.sys
-------------------------------------------------------------------------------
*SV: VFILT (Outpost Firewall Kernel Driver) PATH: c:\progra~1\agnitum\outpos~1\
kernel\2000\filtnt.sys
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..
C:\Documents and Settings\spy1>

 

Looks clean. With process guard, NOD,the cleaner, Outpost, processguard, spyblocker, cookie muncher, mozilla, tracks cleaning pro , cleancache ,mrublaster, mailwasher ,spywareguard, spybot teatimer,mailwasher and some more besides that doesnt show on this log, add a dash of knowledge that even the least ignorant of major senior members have (all this talk about security should rub off eventually), I would think it be shocking if there is something bad in there .

Care to post a HJT post as well, might as well tell the world more about your system.

 

You know, I'm really surprised that more people aren't showing an interest in this program.

Anyone else out there using it? Comments? Similar programs? Better programs for checking for the presence of all currently-known root-kits on one's computer?

Since hardly anything that's out there right now can help you if you've already been root-kitted (prior to installation of any given program that's supposed to keep you from being root-kitted), it just seems to me that there would be more enthusiasm for this one.

Or, am I behind the curve yet again? Pete

 

Sure - why not? It certainly can't hurt.

Logfile of HijackThis v1.97.7
Scan saved at 1:40:07 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\The Cleaner\tca.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BHODemon 2.0\BHODemon.exe
C:\Program Files\CleanCache 2.0\CleanCache.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\CookieMuncher\cookiem.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\ID-Blaster Plus\idblasterplus.exe
C:\Program Files\Microsoft Security\Diet K\DietK.exe
C:\Program Files\Microsoft Security\K-Lite\khancer.exe
C:\Program Files\Microsoft Security\K-Lite\kazaa.exe
C:\Program Files\Microsoft Security\K-Lite\KaZuperNodes\KaZuperNodes.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Defensive Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Protected by Javacool and SpyBlocker PREVENTIVE software.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:4001;gopher=127.0.0.1:4001;http=127.0.0.1:4001;https=127.0.0.1:4001;socks=127.0.0.1:4001
O2 - BHO: (no name) - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\spy1\LOCALS~1\Temp\_uninstop.exe /u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [Index.dat Suite] C:\run.bat
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
O4 - Startup: CleanCacheStartup.lnk = C:\Program Files\CleanCache 2.0\CleanCache.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard\procguard.exe
O4 - Startup: Shortcut to cookiem.exe.lnk = C:\Program Files\CookieMuncher\cookiem.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Copy Path - c:\program files\accessories\CopyPath.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.shellcreditcard.accountonline.com
O15 - Trusted Zone: http://www.cnn.com
O15 - Trusted Zone: http://www.comporium.com
O15 - Trusted Zone: http://*.ct7support.com
O15 - Trusted Zone: http://www.dll-files.com
O15 - Trusted Zone: http://www.dslreports.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.3936226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

Perhaps the BelArc profile would be of some help? Pete

 

@Spy

DCS Gavin and I doubt that Rootkit Detector will find a customized HD rootkit. (But I have not made any experiments yet.)

A quick and reliable way to find (almost) any rootkit is to search for "cloaked" registry entries. This can be done with the help of RegdatXP. I believe that a2 v2 will also be able to do this.

There are other tools which can be used to detect the HD rootkit. Such tools include krnlps (KernelPS), TaskInfo 2003 and, possibly, Vice. I have not tried Vice yet since it requires the installation of the Microsoft .NET framework.

Generally, it is not allowed in this forum to post links to Rootkit Detector, KernelPS or Vice since these tools are hosted on sites which also offer exploits and/or malware.

 

(Mods: Feel free to delete that link if need be).

Took a look at RegdatXP - it looks way over my head (one of the problems with being stupid is that I'm - well - stupid! <g> ).

But thank you for cluing me in on some of the others. Vice sounds interesting (I already have the .NET Framework installed since I needed it to try out CleanCache).

Does that one require a degree in rocket science/brain surgery to use also?

I guess the whole thrust of what I'm trying to accomplish here is to find a relatively simple-to-use (although highly efficient) program that will enable people to ensure that they're not already root-kitted before they spend the bucks to buy a program that's supposed to prevent being root-kitted, and thus have a false sense of security in that particular area. Pete

 

RegdatXP does not require difficult things to do. Detection works automatically.


You just need to start the program, click on the rider "compare", choose the option "selected keys" and then check the boxes "hiddens". Thereafter, you click "run" and you are done.

 

Hi,
I think this is a another aspect of detecting rootkits.
http://www.security-forums.com/forum/viewtopic.php?t=8298&sid=fb214bc36c6c46cc19c23f7772da0fd1

Best Regards

 

Hi

is there any forums for Vice? I see a few fals possitives listed on the rootkit site but in my case it is finding SHLWAPI.DLL a a usermode hook rootkit.

Thanks

controler