Re: Download freeware RKR scanning software (detect Sony rootkit & others)
Date: 20 Nov 2005 11:01:22 -0800
karl levinson, mvp wrote:
> For a second opinion, try RKDetect http://www.security.nnov.ru/soft/rkdetect
You provided useful information for all of us which I'm sure many
others like I will follow. So I don't feel so badly about asking a bit
deeper since the answer will help all the other mothers out there too
follow verbatim in our footsteps.
1. Logged in as "administrator", I downloaded the RK Detect
second-opinion utility from:
2. As "administrator", I unzipped RKDetect into c:\proggies\util\RKD to
see the 4 files:
- readme.txt 09/08/2004 10:43 AM 1,636 bytes
- rkdetect.vbs 09/08/2004 10:37 AM 2,336 bytes
- sc.exe 03/25/2003 04:00 PM 47,104 bytes
- wmisc.vbs 09/08/2004 09:24 AM 474 bytes
3. I read the readme to learn:
- RKDetect finds hidden services that are usually used to start
- RKDetect enumerates the services on a remote computer.
- The result is then compared and any difference is displayed.
- RKDetect uses "sc.exe" found in %WINDIR%\system32\sc.exe or locally
4. Only one example command is in the readme:
C:\hack\rkd>cscript rkdetect.vbs 184.108.40.206
5. A quick http://www.dnsstuff.com Reverse DNS on that suggested IP
220.127.116.11 PTR record: disp183.iie.org.mx. [TTL 86400s] [A=18.104.22.168]
6. As Administrator, I run the example by pointing to the suggested
Start -> Run -> cmd
C:\> cd c:\proggies\util\RKD
RKD:\> cscript rkdetect.vbs 22.214.171.124
Up pops a Sygate Personal Firewall warning:
Microsoft (r) Console Based Script Host (cscript.exe) is trying to send
Do you want to allow this program to access the network?
When I say "yes" to the firewall request, RKDetect proceeds to report:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Query services by WMI...
Detected 0 services
Query services by SC...
Detected 0 services
Finding hidden services...
Windows rootkits detector
(c)oded by email@example.com 2003
(c) Sergey V. Gordeychik firstname.lastname@example.org 2003
An error occurred. Check machine availability and your access level
(must be an
cscript rkdetect.vbs <machine_name/ip>
7. I am tantalizingly close to obtaining useful information but I
8. Do you know what I should do next to obtain an RKDetect report to