Rootkit Revealer Detection !! - Page 2

lynchknot · #26 July 7th, 2005, 12:45 AM

I'm not 100% sure but I think we are looking for an executable with a date discrepancy coupled with a mismatch between Windows API and raw hive data.

crackman · #27 July 9th, 2005, 10:48 PM

Since my last (and only) post to this thread concerning my similar results with Rootkit Revealer, I have downloaded and run RKDetector. My results are almost identical to those posted earlier; i.e., "suspicious modules" imm32.dll, lpk.dll, and usp10.dll along with a likely-hooked module msvcrt.dll. Namely, the relevant results from my RKDetector are:
____________________________________________________________________

-Searching for wrong Service Paths.... ( Found: 1 wrong Services )
------------------------------------------------------------------------------
*SV: wanatw (WAN Miniport (ATW)) PATH: C:\WINDOWS\system32\drivers\wanatw4.sys
------------------------------------------------------------------------------
-Searching for Rootkit Modules........
------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)
_____________________________________________________________

We may be onto something here, people. Checking the discrepancies, the path C:\WINDOWS\system32\drivers\wanatw4.sys DOES NOT EXIST in my system! 'wanatw4.sys' is in I386 (date stamp is 1-10-2003 and size is 33,588 bytes), but it is not in WINDOWS\SYSTEM32. Description is "Wan Miniport (ATW)"; Version is 8.3.0.0; Copyright is © 2001-2002 America Online, Inc. AOL also had my suspect 'webcal' entry. Files 'imm32.dll', 'lpk.dll', and 'usp10.dll' are all in I386, WINDOWS\SYSTEM32, and in the DLLCACHE as expected. They are valid Microsoft files, and their file sizes correspond with what they should be (apparently), so what makes them 'suspicious' is unknown.

As for c:\windows\system32\msvcrt.dll, the module's properties say "Windows NT CRT DLL", version 7.0.2600.2180, with a size of 343,040 bytes, created and modified on 8-4-2004. Microsoft Article ID 194205 describes a special file of that name that is used by AOL. I am now wondering if AOL might be at the 'root' of all this (pun intended).

Hope I'm not throwing too much data at you.

Rasheed187 · #28 July 10th, 2005, 12:25 PM

On one of my machies I found this (see link), what should I think about this, am I rootkitted or not?

Rasheed187 · #29 July 11th, 2005, 10:32 AM

The image works again, nobody with any feedback?

crackman · #30 July 11th, 2005, 04:25 PM

Maybe, just maybe, there may be some answers for Hard Rocker. I had noticed the same Hive/API discrepancy that he did, as quoted:

Quote:

Originally Posted by Hard Rocker

I just downloaded & ran Rootkit Revealer & it immediately detected HKLM\SOFTWARE\Classes\webcal\URL Protocol.
...
What I find strange is that the timestamp ( for the HKLM\SOFTWARE\Classes .... etc ) is indicated at August 31, 2004 & since this is a new PC .... I never accessed the internet before September 22, 2004.

On my own system, this particular key appears to be the only one that was granted "user" ownership at the time of Dell's installation of the software on March 16 (right-click a key and then click "Permissions" for info). While either this or corrupted data may be the problem, I solved it by changing the HKLM\SOFTWARE\Classes\webcal key's "owner" to Administrator, exporting the key, deleting it from the Registry, then importing the key right back into the Registry. Do not do this in general without knowing just how vulnerable the key might be; some Registry entries get updated continuously. After doing this procedure, Rootkit Revealer gave me a clean bill of health. Be aware that if anything else is running, there may be occasional hive/API mismatches, as Sysinternals will tell you.

As for the other discrepancies, quoting with deletions of dashed lines:

Quote:

Originally Posted by lynchknot

*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
-Trying to detect hxdef with TCP data..Unable to load tcp.dll
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

I had noted the same on my computer, also with no rootkits detected. To double-check, I downloaded F-Secure BlackLight and found nothing when I ran it -- neither in normal mode, nor in expert mode, nor when run immediately after a fresh boot (again in expert mode), nor when run outside of EXPLORER.

To see if any suspicious activity might be taking place at startup, I ran REGMON during the boot process. Modules imm32, lpk, usp10, and msvcrt - and MANY others -- were referenced 44 times for image options. This seemed to occur not only for the various startup routines, but also for others, and apparently is a normal activity. Module usp10.dll had 4 extra refs due to its being an Office module.

Neither imm32.dll nor lpk.dll had any Registry refs, but usp10.dll is shared by Microsoft Works and by Picture It, and msvcrt.dll is shared by many programs. The three modules imm32, lpk, and usp10 seem legitimate on my own machine despite RKDetector's suspicions, and I don't think that msvcrt.dll really is hooked; just many dependencies. Lack of suspicious activity leads me to consider RKDetector's findings to be false positives, though it is clearly a good program (beats false negatives). One discrepancy not shared with lynchknot -- a wrong path for wanatw (WAN Miniport) -- is likely due to an unclean uninstall by AOL (famed for leaving behind a fouled nest).

As for Rasheed 187, you might check the above info as a starter.

#31 July 12th, 2005, 04:05 AM

Quote:

Originally Posted by Rasheed187

On one of my machies I found this (see link), what should I think about this, am I rootkitted or not?

Sure, looks like someone implanted a rootkit via a zeroday exploit through IE.

Sure looks like you were running Sysinternals Process explorer at the time.

Let me guess you replaced your task manager with it?

Either that or something messed up with it.

For guys having weird discreptancies with rootkit revealer, I recommend you do the following

1) Disconnect from the net
2) Turn off all your programs , as well as nonessenital services
3) Run rootkit revealer.

A lot of mismatches appear because 'stuff' is happening at the same time, rootkit revealer is comparing .

This is espically so for security software.

#32 July 12th, 2005, 08:50 AM

Hi,

I downloaded and ran the latest rootkitrevealer.

I had two discrepancies.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:48 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:50 0 bytes Key name contains embedded nulls (*)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€쀐]
"DisplayName"="װ!װ!"
"DeviceDesc"="װ!װ!"
"ProviderName"="ﻔ粐ｄ"
"MFG"="Ԭ"
"ReinstallString"="C:\\WINDOWS\\System32\\ReinstallBackups\\€쀐\\DriverFiles\\.INF"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\sbdrv\smbus\smbusati.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\୵粁·]
"DisplayName"="䟔"
"DeviceDesc"="䟔"
"ProviderName"="娴粐媤"
"MFG"="ᅈ "
"ReinstallString"="6.14.10.6430"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\driver\2kxp_inf\cx_15265.inf

Are these valid entries? Malware?
I read somewhere that some valid keys had embedded nulls.

Note that in both these keys none of the identifiers i.e displayname , manufacter(mfg), description etc have only these odd symbols.

Thanks
Doh!

Rasheed187 · #33 July 12th, 2005, 12:08 PM

Thanks for the feedback James Taylor

That might be it, and no I haven´t replaced Task Manager but I do use Process Explorer a lot.

leccy · #34 September 28th, 2005, 09:05 PM

I've got a Dell too... and get the same detection...

it's something to do with AOL:
rundll32.exe C:\PROGRA~1\AOL9~1.0\WEBCAL~1.DLL,WebCalHandler %1

but i'm gonna save that part of the registary... then copy the right data into field... lets hope is works

#35 September 30th, 2005, 11:44 AM

Quote:

Originally Posted by Doh!

Hi,

I downloaded and ran the latest rootkitrevealer.

I had two discrepancies.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:48 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 23/08/2004 11:50 0 bytes Key name contains embedded nulls (*)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€쀐]
"DisplayName"="װ!װ!"
"DeviceDesc"="װ!װ!"
"ProviderName"="ﻔ粐ｄ"
"MFG"="Ԭ"
"ReinstallString"="C:\\WINDOWS\\System32\\ReinstallBackups\\€쀐\\DriverFiles\\.INF"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\sbdrv\smbus\smbusati.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\୵粁·]
"DisplayName"="䟔"
"DeviceDesc"="䟔"
"ProviderName"="娴粐媤"
"MFG"="ᅈ "
"ReinstallString"="6.14.10.6430"
"DeviceInstanceIds"=e:\pmr400222eu0 osaka20 sp2 en,gr,fr,it\display driver\driver\2kxp_inf\cx_15265.inf

Are these valid entries? Malware?
I read somewhere that some valid keys had embedded nulls.

Note that in both these keys none of the identifiers i.e displayname , manufacter(mfg), description etc have only these odd symbols.

Thanks
Doh!

Hi, there is some usefull info on what RR is detecting in regards to the embedded nulls @ this link >

http://www.sysinternals.com/Forum/se...I=PT&FM=0&OB=1

also another link you should look @ >

http://www.sysinternals.com/Forum/fo...p;KW=Reinstall

Hope this helps T

crackman · #36 October 18th, 2005, 12:28 AM

Quote:

Originally Posted by leccy

I've got a Dell too... and get the same detection...

it's something to do with AOL:
rundll32.exe C:\PROGRA~1\AOL9~1.0\WEBCAL~1.DLL,WebCalHandler %1

but i'm gonna save that part of the registary... then copy the right data into field... lets hope is works

Leccy:

I'm curious about the common thread of Dell computers giving a WEBCAL discrepancy. Do you remember how many bytes mismatched? Did you have any luck rectifying this item?

Crackman

#37 November 6th, 2005, 02:13 AM

I found the exact same thing after running Rootkit Revealer, then going on to give my registry a few pokes with a big stick. I've never had a Dell, but I have had AOL installed, so I'm guessing it's just something left over from the installation. I've run Blacklight a couple of times, and it reveals nothing. Probably a harmless glitch, but widespread based on what I'm seeing after googling on "webcal\URL protocol."

Mele20 · #38 November 6th, 2005, 06:02 AM

Hmm...I have a Dell and had AOL installed last month. (I get AOL free now through my ISP Road Runner). I uninstalled AOL after I couldn't get the radio to work. I ran Rootkit Revealer and it found nothing.

#39 November 20th, 2005, 10:32 AM

I had lost hardwired communications with my router.

I originally did a system restore to a previous date, and it restored communications. Then the communication failures came back, and the system restore didn't help.

I ran the rootkit revealer and it found this string and it found a similar string under HKLM\Software\Microsoft\Windows\CurrentVersion\Reinstall. I ran regedit and deleted it, and my router communications came back.

I get the feeling that this is a symptom of a larger problem.

controler · #40 November 20th, 2005, 11:02 AM

You may want to look for your DLL here

http://www.castlecops.com/bho-w.html

The WEB cal thing could be a corporate time server or something.

controler

#41 November 21st, 2005, 08:34 AM

this might help with some fo the ?fp and RR scann results.
Plenty of posts in the forums there:

http://www.sysinternals.com/Forum/fo...?TID=2408&PN=1

Mele20 · #42 November 26th, 2005, 08:29 PM

This is weird. I ran Rootkit Revealer again just now and it found the webcal discrepancy that is being discussed here. When I ran it on Nov 6, it found nothing. I suppose webcal was being updated during the scan this time and that is why it was found. I did not disconnect from the internet either time I ran the scan nor did I run it in safe mode.

What interests me though is that webcal is part of AOL and it would appear even though I ran RegCleaner after uninstalling AOL, I still have AOL stuff in the registry.

#43 November 28th, 2005, 07:14 PM

Get regseeker and delete all AOL entries

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search