Re: Download freeware RKR scanning software (detect Sony rootkit & others)
Date: 11/20/05

Date: 20 Nov 2005 11:01:22 -0800

karl levinson, mvp wrote:
> For a second opinion, try RKDetect

Hi Karl,

You provided useful information for all of us which I'm sure many
others like I will follow. So I don't feel so badly about asking a bit
deeper since the answer will help all the other mothers out there too
follow verbatim in our footsteps.

1. Logged in as "administrator", I downloaded the RK Detect
second-opinion utility from:

2. As "administrator", I unzipped RKDetect into c:\proggies\util\RKD to
see the 4 files:
- readme.txt 09/08/2004 10:43 AM 1,636 bytes
- rkdetect.vbs 09/08/2004 10:37 AM 2,336 bytes
- sc.exe 03/25/2003 04:00 PM 47,104 bytes
- wmisc.vbs 09/08/2004 09:24 AM 474 bytes

3. I read the readme to learn:
- RKDetect finds hidden services that are usually used to start
- RKDetect enumerates the services on a remote computer.
- The result is then compared and any difference is displayed.
- RKDetect uses "sc.exe" found in %WINDIR%\system32\sc.exe or locally

4. Only one example command is in the readme:
C:\hack\rkd>cscript rkdetect.vbs

5. A quick Reverse DNS on that suggested IP
address reports: PTR record: [TTL 86400s] [A=]

6. As Administrator, I run the example by pointing to the suggested
Start -> Run -> cmd
C:\> cd c:\proggies\util\RKD
RKD:\> cscript rkdetect.vbs

Up pops a Sygate Personal Firewall warning:
Microsoft (r) Console Based Script Host (cscript.exe) is trying to send
a packet.
Do you want to allow this program to access the network?

When I say "yes" to the firewall request, RKDetect proceeds to report:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Query services by WMI...
Detected 0 services
Query services by SC...
Detected 0 services
Finding hidden services...
Windows rootkits detector
(c)oded by 2003
(c) Sergey V. Gordeychik 2003

An error occurred. Check machine availability and your access level
(must be an

cscript rkdetect.vbs <machine_name/ip>

7. I am tantalizingly close to obtaining useful information but I

8. Do you know what I should do next to obtain an RKDetect report to