Re: Download freeware RKR scanning software (detect Sony rootkit & others)

pamelafiischer_at_yahoo.com
Date: 11/20/05


Date: 20 Nov 2005 10:58:38 -0800

Andy Walker warned:
> Rootkit Revealer implemented a defense mechanism against being
> disabled by spawning a randomly named copy of itself and running it as
> a service. This makes it very difficult for any other process to
> identify and disable Rootkit Revealer, but it also creates a tell-tale
> sign on any system that runs Rootkit Revealer -- the randomly named
> program gets deleted, but the registry key for the service is left
> over pointing to a now deleted file. CrapCleaner will find and delete
> the "null" service, or you can manually edit the registry and delete
> the key.

Hi Andy Walker,

Is this the left-over registry key you warned about?
- Missing MUI Reference C:\proggies\util\RKD\sc.exe
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

1. Heeding your warning, I downloaded & installed "CrapCleaner
v1.25.201" from:
http://www.ccleaner.com (last updated on 9th November 2005).

2. I looked for the left-over key you warned about after pressing
"Analyze" in the "Cleaner" section to analyze "Windows" &
"Applications" but did not see mention of RDKetect registry keys (I
pressed "Run Cleaner" anyway so as to clean out the crap files on my
system).

3. Running the "Scan for Issues" section did find hint of RKDetect
leftovers such as:
- Missing MUI Reference C:\proggies\util\RKD\sc.exe
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

KEY QUESTION:
Q: Is this the left-over registry key you warned us about?

Also, a frustratingly nagging question:
Q: How do I find out what program these darn 8-4-4-4-8 hex numbers
belong to?
- Uninstaller Reference Issue {B6F867E8-F092-4C5E-ACA0-F30547DC3874}
HKLM\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\{B6F867E8-F092-4C5E-ACA0-F30547DC3874}



Relevant Pages