Rootkit Detector V0.62 for windows 2K/XP/2k3

Discussion in 'other anti-trojan software' started by spy1, May 24, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, I can get this thing to run - but I can't get it to stay open long enough to read the results when it's done.

    I've tried using
    cmd rkdetector.exe from "Run" (not a valid Win32 app, supposedly) and I've tried just running it from the program folder (that's when it runs and then disappears).

    It's got this "tcp.dll" in the unpacked folder which really seems like it ought to be somewhere other than there. Everytime I try to get that dll to register, I get the error message shown in the screenshot.

    What am I doing wrong here? Pete
     

    Attached Files:

  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    If someone could clue me in to the correct command to use on this program to get it to run and remain open afterwards, it would be much appreciated. Pete
     
  3. -_-

    -_- Guest

    You just need to open DOS shell (from within windows) and then run the program. In such case the window won't close.
     
  4. RUffian

    RUffian Guest

    LOL, don't people know how to use dos these days?
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    <g> Apparently not. I thought I had already tried that, but I'll go back and try it again.
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'll be darned if it didn't run straight from the cmd prompt this time! (I thought it was supposed to, but it sure didn't happen the first time around!).
    Anyway, does this all look good?


    . .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
    Rootkit Detector Profesional 2004
    Programmed by Andres Tarasco Acuna
    Copyright (c) 2004 - 3wdesign Security
    Url: http://www.3wdesign.es


    -Gathering Service list Information... ( Found: 266 services )
    -Gathering process List Information... ( Found: 42 process )
    -Searching for Hidden process Handles. ( Found: 0 Hidden Process )
    -Checking Visible Process.............
    c:\program files\cleancache 2.0\cleancache.exe
    c:\program files\spyblocker software\spyblocker.exe
    c:\windows\explorer.exe
    c:\program files\spywareguard\sgbhp.exe
    c:\program files\mru-blaster\scheduler.exe
    c:\windows\system32\smss.exe
    c:\windows\system32\csrss.exe
    c:\windows\system32\winlogon.exe
    c:\windows\system32\services.exe
    c:\windows\system32\lsass.exe
    c:\program files\acesoft\tracks eraser pro\te.exe
    c:\windows\system32\svchost.exe
    c:\program files\processguard\procguard.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe
    c:\program files\apc\apc powerchute personal edition\apcsystray.exe
    c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
    c:\windows\system32\spoolsv.exe
    c:\program files\compaq\easy access button support\starteak.exe
    c:\program files\eset\nod32kui.exe
    c:\program files\cookiemuncher\cookiem.exe
    c:\windows\system32\alg.exe
    c:\program files\apc\apc powerchute personal edition\mainserv.exe
    c:\program files\processguard\dcsuserprot.exe
    c:\program files\eset\nod32krn.exe
    c:\program files\spybot - search & destroy\teatimer.exe
    c:\windows\system32\locator.exe
    c:\program files\mailwasher\mailwasher.exe
    c:\windows\system32\svchost.exe
    c:\program files\java\j2re1.5.0\bin\jusched.exe
    c:\windows\system32\ups.exe
    c:\program files\spywareguard\sgmain.exe
    c:\compaq\eakdrv\eausbkbd.exe
    c:\progra~1\compaq\easyac~1\bttnserv.exe
    c:\program files\bhodemon 2.0\bhodemon.exe
    c:\windows\system32\cmd.exe
    c:\program files\mozilla firefox\firefox.exe
    c:\program files\compaq\easy access button support\cpqeadm.exe
    c:\compaq\cpqinet\cpqinet.exe
    c:\program files\the cleaner\tca.exe
    c:\windows\system32\rkdetector.exe
    -Searching again for Hidden Services..
    -Gathering Service list Information... ( Found: 0 Hidden Services)
    -Searching for wrong Service Paths.... ( Found: 4 wrong Services )
    -------------------------------------------------------------------------------
    *SV: EACMOS (EACMOS) PATH: c:\windows\system32\drivers\eacmos.sys
    -------------------------------------------------------------------------------
    *SV: EAWDMFD (EAWDMFD) PATH: c:\windows\system32\drivers\eawdmfd.sys
    -------------------------------------------------------------------------------
    *SV: procguard (procguard) PATH: c:\windows\system32\drivers\procguard.sys
    -------------------------------------------------------------------------------
    *SV: VFILT (Outpost Firewall Kernel Driver) PATH: c:\progra~1\agnitum\outpos~1\
    kernel\2000\filtnt.sys
    -------------------------------------------------------------------------------
    -Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
    -Trying to detect hxdef with TCP data..
    C:\Documents and Settings\spy1>
     
  7. Ruffian

    Ruffian Guest

    Looks clean. With process guard, NOD,the cleaner, Outpost, processguard, spyblocker, cookie muncher, mozilla, tracks cleaning pro , cleancache ,mrublaster, mailwasher ,spywareguard, spybot teatimer,mailwasher and some more besides that doesnt show on this log, add a dash of knowledge that even the least ignorant of major senior members have (all this talk about security should rub off eventually), I would think it be shocking if there is something bad in there .

    Care to post a HJT post as well, might as well tell the world more about your system.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You know, I'm really surprised that more people aren't showing an interest in this program.

    Anyone else out there using it? Comments? Similar programs? Better programs for checking for the presence of all currently-known root-kits on one's computer?

    Since hardly anything that's out there right now can help you if you've already been root-kitted (prior to installation of any given program that's supposed to keep you from being root-kitted), it just seems to me that there would be more enthusiasm for this one.

    Or, am I behind the curve yet again? Pete
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Sure - why not? It certainly can't hurt.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:40:07 PM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ups.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQInet.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Program Files\The Cleaner\tca.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\SpyBlocker Software\spyblocker.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BHODemon 2.0\BHODemon.exe
    C:\Program Files\CleanCache 2.0\CleanCache.exe
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\Program Files\CookieMuncher\cookiem.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\ID-Blaster Plus\idblasterplus.exe
    C:\Program Files\Microsoft Security\Diet K\DietK.exe
    C:\Program Files\Microsoft Security\K-Lite\khancer.exe
    C:\Program Files\Microsoft Security\K-Lite\kazaa.exe
    C:\Program Files\Microsoft Security\K-Lite\KaZuperNodes\KaZuperNodes.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Defensive Tools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Protected by Javacool and SpyBlocker PREVENTIVE software.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:4001;gopher=127.0.0.1:4001;http=127.0.0.1:4001;https=127.0.0.1:4001;socks=127.0.0.1:4001
    O2 - BHO: (no name) - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\spy1\LOCALS~1\Temp\_uninstop.exe /u
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\RunOnce: [Index.dat Suite] C:\run.bat
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
    O4 - Startup: CleanCacheStartup.lnk = C:\Program Files\CleanCache 2.0\CleanCache.exe
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard\procguard.exe
    O4 - Startup: Shortcut to cookiem.exe.lnk = C:\Program Files\CookieMuncher\cookiem.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Copy Path - c:\program files\accessories\CopyPath.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O15 - Trusted Zone: http://www.shellcreditcard.accountonline.com
    O15 - Trusted Zone: http://www.cnn.com
    O15 - Trusted Zone: http://www.comporium.com
    O15 - Trusted Zone: http://*.ct7support.com
    O15 - Trusted Zone: http://www.dll-files.com
    O15 - Trusted Zone: http://www.dslreports.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.3936226852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

    Perhaps the BelArc profile would be of some help? :D Pete
     
  10. -_-

    -_- Guest

    @Spy

    DCS Gavin and I doubt that Rootkit Detector will find a customized HD rootkit. (But I have not made any experiments yet.)

    A quick and reliable way to find (almost) any rootkit is to search for "cloaked" registry entries. This can be done with the help of RegdatXP. I believe that a2 v2 will also be able to do this.

    There are other tools which can be used to detect the HD rootkit. Such tools include krnlps (KernelPS), TaskInfo 2003 and, possibly, Vice. I have not tried Vice yet since it requires the installation of the Microsoft .NET framework.

    Generally, it is not allowed in this forum to post links to Rootkit Detector, KernelPS or Vice since these tools are hosted on sites which also offer exploits and/or malware.
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    (Mods: Feel free to delete that link if need be).

    Took a look at RegdatXP - it looks way over my head (one of the problems with being stupid is that I'm - well - stupid! <g> ).

    But thank you for cluing me in on some of the others. Vice sounds interesting (I already have the .NET Framework installed since I needed it to try out CleanCache).

    Does that one require a degree in rocket science/brain surgery to use also?

    I guess the whole thrust of what I'm trying to accomplish here is to find a relatively simple-to-use (although highly efficient) program that will enable people to ensure that they're not already root-kitted before they spend the bucks to buy a program that's supposed to prevent being root-kitted, and thus have a false sense of security in that particular area. Pete
     
  12. -_-

    -_- Guest

    RegdatXP does not require difficult things to do. Detection works automatically.


    You just need to start the program, click on the rider "compare", choose the option "selected keys" and then check the boxes "hiddens". Thereafter, you click "run" and you are done.
     
  13. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    Hi, :)
    I think this is a another aspect of detecting rootkits.
    http://www.security-forums.com/forum/viewtopic.php?t=8298&sid=fb214bc36c6c46cc19c23f7772da0fd1

    Best Regards
     
  14. controler

    controler Guest

    Hi

    is there any forums for Vice? I see a few fals possitives listed on the rootkit site but in my case it is finding SHLWAPI.DLL a a usermode hook rootkit.

    Thanks

    controler
     
Thread Status:
Not open for further replies.