« My Son is a Heterosexual | Main | All Alito - All The Way »

November 3, 2005

Rootkit Revealer

I didn't know about rootkits before the recent storm of controversy surrounding Sony's admission that they're using a rootkit to hide their DRM code. So, I downloaded the Rootkit Revealer(scroll to the bottom to download the software) and ran it on my computers. My laptop was clean, but it found several problems on my desktop.

Note 1: In order to minimize false positives run RootkitRevealer on an idle system. If you have questions or problems please visit the Sysinternals RootkitRevealer Forum. More tips on limiting the number of "false positives"(FP's) encountered when running RootkitRevealer are here.

Note 2: The rootkit revealer can not be run remotely from a Remote Desktop(RDP) session. It must be run locally. If you attempt to run Rootkit Revealer through an RDP tunnel, you get the error message "RootkitRevealer must be run from the console."

Technorati tags:
, ,

So, I ran it locally and it found some things.

In the registry, I got the message "Key name contains embedded nulls (*)" for three different keys:




I just decided to try to delete the registry keys that it found with embedded nulls, but I kept getting the message:

"Cannot Delete : Error while deleting key".

So, I'm going to try to delete my keys using the suggestions on this web site.

So, first, I will download and install Registrar Lite.

Now, I'm following the directions to delete the registry keys as follows:

Launch reglite & navigate to the key
Right click on the key & select Properties - 'Take Ownership'
Then click permissions & give full control to everyone
Then click on Advanced
Under the permissions tab, select 'Everyone' & then click Edit
Select - Apply onto - this key & subkeys
Make sure that Delete is set to allowed.
Click OK & then delete the onerous keys

Hmmm. Doesn't work for me. It appears to allow me to take ownership of the subkey, but still won't let me delete it.

I found these directions, but they didn't work for me either.

if u still have the problem right click
security/permissions. click add - advanced - find now- everyone then ok and give full control , then click advanced - go to the owner tab click "admin or user in white box "click replace owner on..... box click ok you will get an error message "access denied" click ok. at permissions box click apply and ok it should work

So, I'm going to have to try something different. I'm going to download and install two programs:
Registry Mechanic - The "World's number 1 registry cleaner".
ERUNT - A useful freeware utility for users of Windows 2000/XP. Erunt is made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

So, I installed ERUNT and Registry Mechanic. I ran ERUNT and it created a backup of my registry. Then, I ran Registry Mechanic, and it found about 1,100 problems, and I clicked Fix, and it fixed about half of them. The other half, it wanted me to register for an annual license of $30. So, I re-ran the RootkitRevealer, but it still found these 3 registry problems. So, I'm going to try running NTREGOPT, the other half of ERUNT, to see if this helps my registry any.

I ran the NTREGOPT, and it said that it had done great things, and all was right with the world, but when I ran the RootkitRevealer, I saw that I was still plagued by these 3 frustrating keys.

Some people recommend trying to delete the registry keys in Safe mode, so I rebooted and hit F8 to reboot in the safe mode, but now my Safe Mode reboot hangs on the agp440.sys file. So, this web site has some suggestions for solving this problem. I'm going to try to run "chkdsk /r" on my c: drive.

I got it to run a "chkdsk /r" after I rebooted, but it didn't find or fix any problems. So, then, I tried to delete the registry keys again, still no dice. I decided to try installing MicroSoft's Malicious Software Removal Tool. This didn't find or fix anything.

I then tried following some tips on this site, and exported one of the registry entries, used Notepad to put a hyphen in front of the key field, and imported it back into the registry.

Windows Registry Editor Version 5.00




In theory, this should work. In practice, it did nothing.

Some guy compared a bunch of registry cleaners in this article. So, I'll try running EasyCleaner, based on his suggestion. Easy Cleaner fixed about 300 "invalid entries", but it didn't fix my 3 keys. So, next I installed and ran RegSupreme Pro version 1.2. When I ran the registry scan, it gave me two options, normal and aggressive. I with with Normal, and it found over 1,000 problems. I removed all of them, and it created an automatic backup for me, which I named regsupreme_1. I re-ran it in the aggressive mode, and it found 15 more, but I didn't delete these. Unfortunately, my 3 keys are still there.

I did a backup and restore of the registry using ERUNT, but the 3 keys are still there. I looked at trying to delete the keys from the flat files before performing the restore, but the files do not appear to be files that one would want to edit with notepad.

Aside from my three registry key issues, I have discrepancies similar to the following:
C:\System Volume Information\catalog.wci\00010002.ci 11/4/2005 12:16 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010002.dir 11/4/2005 12:16 PM 405 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010004.ci 11/4/2005 12:43 PM 32.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010004.dir 11/4/2005 12:43 PM 489 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 11/4/2005 12:43 PM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.001 11/4/2005 12:43 PM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.002 11/4/2005 12:43 PM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.000 11/4/2005 12:16 PM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.001 11/4/2005 12:16 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.002 11/4/2005 12:16 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\security\tmp.edb 11/4/2005 12:49 PM 1.01 MB Hidden from Windows API.

So, this web site has convinced me that these discrepancies are not related to an evil rootkit, but are related to the System Restore doing it's work in the background. Possibly turning off System Restore and re-running would eliminate these issues.

Also, there seems to be a bug in RootkitRevealer, because every time I try to save the search results (File - Save), the application explodes and they ask me if I want to notify MicroSoft, and I always do, but then I feel guilty 'cause I don't wann'a get anyone in trouble or nothin.

Posted by Peenie Wallie on November 3, 2005 at 9:19 PM