Rootkit Revealer Detection !!

Discussion in 'other security issues & news' started by Hard Rocker, Jun 2, 2005.

Thread Status:
Not open for further replies.
  1. Hard Rocker
    Offline

    Hard Rocker Registered Member

    Hi, :eek:

    I just downloaded & ran Rootkit Revealer & it immediately detected HKLM\SOFTWARE\Classes\webcal\URL Protocol.

    When the scan was complete it showed 7 discrepansies .... 6 of them in C\System Volume Information.

    What I find strange is that the timestamp ( for the HKLM\SOFTWARE\Classes .... etc ) is indicated at August 31, 2004 & since this is a new PC .... I never accessed the internet before September 22, 2004. The C\System Volume Information timestamps indicate 02/06/2005 which would be today's date. o_O

    It also states on the HKLM\SOFTWARE line that there is a data mismatch between Windows API and raw hive data.

    I am a new PC User so I hope I'm providing useful info on this & I do realize it is quite late .... early morning .... as well. However, I'm quite concerned about this & wanted to make this post anyway.

    Thoughts or Advice Anyone ??

    HR :cool:
  2. Hard Rocker
    Offline

    Hard Rocker Registered Member

    I just installed the 30 day trial of UnHack Me & it does not detect anything, o_O

    It does not have a scanner as with Rootkit Revealer .... but when I select " Check Me Now ! " it informs me that NO trojans are found. I also have the background monitor enabled.

    Which program should I believe ? :doubt:

    Could Rootkit Revealer's detection be a False Positive or is it in fact flagging malware UnHack Me might have missed ? How would I know either way at this point in time ? :(

    HR :cool:
  3. richrf
    Offline

    richrf Registered Member

    Hi HD,

    Some other experts will be along shortly and will probably want to look at a screenshot. But first:

    1) My guess is that there is no rootkit.
    2) Did you run and AV scan? If so, which product?
    3) Was anything else running (started up) while you were doing the Rootkit Revealer scan?
    4) I would trust the UnHackMe results for now. It is always difficult to interpret the RR results.

    Rich
  4. Hard Rocker
    Offline

    Hard Rocker Registered Member

    Hi again Rich, :D

    I'll run my BitDefender on demand scanner when I log off here .... especially since I know what you think of Norton. (lol)

    I went into regedit & have the location in question open on my PC & minimized. However I've no idea what to do .... if anything from here.

    Thanks for responding & I have to get going right now .... but I can assure you I'll be back here as soon as I can.

    I sort of thought it could have been a F/P as well .... or at least I'm hoping that is the case. o_O

    Take it easy guy !!
    Hard Rocker :cool:
  5. richrf
    Offline

    richrf Registered Member

    Hi HD,

    I wouldn't worry for now. The results of RR are very difficult to interpret, so just try to get a screen shot so others can look over what is happening.

    Cya around,
    Rich
  6. Pikachu762
    Offline

    Pikachu762 Registered Member

  7. Hard Rocker
    Offline

    Hard Rocker Registered Member

    :) Thanks for the info & the link ..... I will check it out now.

    HR :cool:
  8. Hard Rocker
    Offline

    Hard Rocker Registered Member

    Hi, :D

    Just finished scanning with BlackLight Beta .... Total of 59 processes .... & NO Hidden Items Found !!

    So it's 2 out of 3 .... on the positive side. :D

    HR :cool:
  9. lynchknot
    Offline

    lynchknot Registered Member

    Hard Rocker, I hope you don't but your thread will be an education for me and others (mismatch). I ran all the same tests and came up negative - except I have a hive dump problem with RootkitRevealer.

    Thanks for posting.


    I can appreciate your post richrf
    .

    Nice post. Over at another board they will marvel at how you got infected with all your security apps (without even knowing for sure) - after posting your personal list of apps and linking to it (making it public at a board you are not a member of). When you get angry over it, they will say your attitude sucks and then won't help you.
    Last edited: Jun 2, 2005
  10. richrf
    Offline

    richrf Registered Member

    Hi guys,

    Its for situations like this that I think it is nice to have products like ProcessGuard in place that prevent the installation of rookits. All indications are that you do not have it, and ProcessGuard is kind of like your final insurance policy.

    Personally, I think that Rootkit Revealer is showing some issues exist somewhere on your system, but probably nothing that has to do with rookits or any other malware.

    Rich
  11. kareldjag
    Offline

    kareldjag Registered Member

    Hi,

    Rootkit Revealer is an interesting utility, but a waste of time if we can't read and understand the results.

    All rootkits are not detected by AVs: it depends on which one we have.

    The common Windows rootkits are detected by UnHackMe (HxDef, Vanquish, AFXRootkit2005...).

    For an easy detection, it's better to take a look to hidden process and service:

    With KprocCheck: http://www.security.org.sg/code/kproccheck.html

    Or with Frisk: http://sourceforge.net/projects/frisk

    Just unzip the file and double click on the frisk.bat file.
    Give an "allow once" permission for the files on the firewall.

    When the check up is finished, choose the hard drive "c", and answer "yes" to the question "are you sure...".

    Then take a look at the html report which is located in "C" (it's named with the date and the OEM-number).
    And just double-click on the "Detect Rootkits" reports (see the image).

    Regards

    Attached Files:

  12. lynchknot
    Offline

    lynchknot Registered Member

    sorry Hardrocker I just realized it may appear I'm taking over your thread. I don't mean to but it would be pointless to start another one. Please continue.


    Thanks kareldjag!. I like the name "Frisk" very appropriate.
    nice!

    oh oh! "SUSPICIOUS MODULE" - perhaps why OE and scannow will not start in my computer

    Last edited: Jun 2, 2005
  13. Hard Rocker
    Offline

    Hard Rocker Registered Member

    All I can say at this point is ..... aside from Rich & another member no one has really helped me with my original question.

    I am however downloading Frisk as I'm typing this post & maybe that will shed more light on my problem.

    I realize threads DO sometimes get off topic ..... or whatever, but isn't there a moderator for this forum that's supposed to move certain topics to a new thread or something when this happens. I'm kind of new to Wilders so I don't know all of the guidelines ..... so to speak. As well, I believe that this is the first time I've started a thread in this location so I don't really know what happens here either.

    Take it easy guys !!

    HR
  14. lynchknot
    Offline

    lynchknot Registered Member

    As far as I know it's on topic (rootkit detection). While you wait for an expert to come and read your post, since none of use know too much about reading the results, kareldjag was kind enough to show us some alternatives - all applicable to the topic at hand. I am currently experiencing the exact same issue topic as I have run rootkitrevealer just yesterday and not having good results. That is why I find your topic exactly the topic I am experiencing. If you like, we can have two identical topics if you feel I'm intruding.

    If someone runs a search for rootkits and detection. I believe he's supposed to enter the most current thread instead of starting his own. I'm guilty of starting two others but different topics. This one offered new alternatives so I'm here. I can't see me going back to my thread requesting alternatives and kareldjag posting again what he posted here.

    I am posting results for your benefit as well. Hoping we arrive at a good conclusion. If I come to some realization and can help you. You can bet I would be glad to give you a hand.

    I don't know too much about this security stuff, but one thing I know quite a bit of is in my sig. In fact that's one area I'm an expert in (sort of)
    Last edited: Jun 3, 2005
  15. Hard Rocker
    Offline

    Hard Rocker Registered Member

    Ok lynchknot, ;)

    Now that I ran Frisk I see where you are coming from. I did not understand all the technical data in your post & thought you had a different problem.

    It seems that we are both dealing with the same sort of issue I would think. Also I did not know that you also had an ongoing seperate thread.

    It took me a little while .... but I finally figured out how to get Frisk running & when I checked the html report it shows me the same results as you obtained with the suspicious modules & the 0 running rootkits. o_O

    Since I do not know how to post screenshots .... that is the best I can do for now & thanks would be in order to kareldjag for his input & instructions about Frisk.

    Also, if you are referring to scannow (check of windows files) .... mine runs fine & I seem to have the same Frisk results as you. I should mention I'm a fairly new PC User so all of this is really quite " heavy duty " for me at this point in time. :doubt:

    HR :cool:
  16. lynchknot
    Offline

    lynchknot Registered Member

    Well that's, sort of, a relief to me (having same output) because I was worried about the suspicious modules. One other problem I'm having, besides sfc \scannow not opening, is Outlook Express refuses to open as well (outlook opens though but I don't use it)

    HR, you can use the "print screen" button and paste into "paint" or any graphics editor you may have - then crop it - save as *"jpg" and host it here: http://www.imageshack.us/

    *mine won't let me save a cropped image as jpg only bmp so I have to copy then push "new" and paste again and save as jpg.

    Or you can get an app called "snagit" which is what I use and it's great. If you want more help in this area I'd be glad to help via PM's.
    Last edited: Jun 3, 2005
  17. Hard Rocker
    Offline

    Hard Rocker Registered Member

    Hi, :)

    My Outlook Express opens fine .... in fact I had that Microsoft welcome message sitting there .... since way back when. o_O

    Today was the first time I ever opened the program since I bought this PC from DELL back in October.

    I bookmarked " snagit " for now & thanks for your help offer. I guess the trial period is for 30 days .... or whatever, so I won't download it until I really need to use it. I'm not too enthusiastic about paying $39.99 for a program that won't get used very often.

    So what's next ? I guess we will have to keep waiting & hope someone will be able to shed some light on the rootkit detection situation !! :doubt:

    Also, in my html report : under, searching for wrong Service Paths it shows .... Found : 3 wrong Services. I don't know what that's about. o_O

    HR :cool:
  18. richrf
    Offline

    richrf Registered Member

    Hi Guys,

    I ran rkdetector on my machine (which I know is clean), and it showed no hidden processes or rootkits, but it did have ProcessGuard as "wrong service path". I don't know what this means, but it is nothing to worry about.

    Here is a short thread on rkdetector and also how to use RegdatXp to locate rootkits:

    http://www.wilderssecurity.com/archive/index.php/t-33519

    I think UnHackMe uses a similar algorithm to identify "cloaked registry entries".

    In any case, I don't think you have any rootkit or anything to be concerned about. But you can see, it gives lots of relief to know that ProcessGuard is running and helping to defeat rootkit installation - just for the piece of mind. :)

    Cya,
    Rich
  19. Hard Rocker
    Offline

    Hard Rocker Registered Member

    :D Thanks Rich,

    Interesting link ..... very educational !!

    Wonder what's going on with lynchknot ..... haven't heard from him in a couple of days.

    I've been looking at Process Guard again but I want to make sure if I do download it that I have plenty of time to devote to setting PG up & NOT have any other PC issues to worry about.

    HR :cool:
  20. lynchknot
    Offline

    lynchknot Registered Member

    Hello Hard Rocker. I had to take a break from the internet. I let life's trials and tribulations erode any patience I had for people on the net, including myself - coupled with my computer problem - just made it worse as the computer takes #1 priority when it's not functioning correctly (being the compter addict I am). I decided I should be the priority and take time for myself. Thanks for asking.

    It's good to hear your computer is fine. I hope you like PG. It's a must for me. I feel naked without it.

    **edit - scannow is fixed
    Last edited: Jun 5, 2005
  21. Hard Rocker
    Offline

    Hard Rocker Registered Member

    Hi Lynchknot, :D

    I can certainly understand your frustrations & concerns !!

    As a new user ( October 2004 ) and being a guy who's main interests previously were both playing & being into music as my # 1 priority I have found it very hard at times coping with all of the security issues related to PC's. Especially when I hear from different sources about how Mac users do NOT have to deal with all the malware problems that we do. :mad:

    Hang in there guy ..... we don't have much choice.

    All I can say is Wilders has been a huge help to me & as long as I have a PC I will most likely be a member here !!

    Take it easy,
    HR :cool:
  22. lynchknot
    Offline

    lynchknot Registered Member

    That's really not the whole truth. I'll come clean here as well. There's more going on in real life - my mom's mental deterioration (loss of words and mental acuity) coupled with health issues (advanced diabetes, osteoporosis - she fell, walking in the house and broke her wrist in two places) - There's a noticeable change.

    Since my dad died (complications of non-hodgkins lymphoma or should I say, the poor choice of medical establishment to kill the body's immune system to kill cancer cells*), I have moved in with her and take care of some of her needs (I'm single at the moment, so it's not an issue - besides I would anyway) otherwise she would be all alone. I'm afraid her time is drawing near.

    Everything is overwhelming



    *in the 50 or so years of Cancer fund-raising, they still use the same techniques which do not work very well.(cut, chemicals, or radiation) You think by now they would come up with something better and less destructive? No, there's money to be made, while the doctors helped to kill my dad.

    PC users get to enjoy much more "ware" than Mac users. Much of it is great.
    Last edited: Jun 7, 2005
  23. Hard Rocker
    Offline

    Hard Rocker Registered Member

    ;) In all sincerity I wish you .... the very best .... and strength .... in a very difficult time.

    HR
  24. lynchknot
    Offline

    lynchknot Registered Member

    Thanks HR. :doubt:
  25. crackman
    Offline

    crackman Registered Member

    I am new to this forum and found the following. Hope I'm not breaking protocol by posting my experiences in this thread.

    This post is most interesting. The same problem occurs in my computer. Rootkit Revealer v1.54 showed the following:

    HKLM\SOFTWARE\Classes\webcal\URL Protocol
    3/16/2005 2:22 PM
    13 bytes
    Data mismatch between Windows API and raw hive data.


    The date stamp (Mar 16) is at the time when Dell was assembling my computer, so it may be that this issue predates any personal activity on the machine. The Registry key in question is:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal]
    "URL Protocol"="URL Pr"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal\shell]


    Before I uninstalled Dell's AOL files, there were two additional entries:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal\shell\open]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webcal\shell\open\command]
    @="rundll32.exe C:\\PROGRA~1\\AMERIC~1.0\\WEBCAL~1.DLL,WebCalHandler %1"

    However, the same Rootkit Revealer error was reported both before and after the AOL uninstallation.

    I'm running Windows XP/SP2, IE 6.0/SP2, McAfee AV, and the usual anti-spyware programs. Forum rules say don't post HJT, so I won't, but it appears to be clean. No suspicious computer activity.

    Like Hard Rocker, I'd like to know what's going on here. Is this trickery on Dell's part, a rootkit, a Rootkit Revealer problem, or what?
Thread Status:
Not open for further replies.