Re: Download freeware RKR scanning software (detect Sony rootkit & others)

pamelafiischer_at_yahoo.com
Date: 11/22/05

Next message: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"

Previous message: w_tom: "Re: brown-out"
In reply to: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
Next in thread: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
Reply: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 21 Nov 2005 23:24:20 -0800

karl levinson, mvp wrote:
> Where did you get that IP address? Is it really the one on your PC? How
> did you find that IP address? Can you do Start, Run, type CMD and
> click OK, then type IPCONFIG to doublecheck that that is your IP
> address?

Thank you yet again Karl for your expert advice,

Not fully understanding what I was doing, I simply had run the exact
command and IP address given in the RKDetect README:
C:\> cscript rkdetect.vbs 200.4.4.4

An ipconfig /all on my machine reports the standard IP address:
IP Address. . . . . . . . . . . . : 192.168.0.101

Was I supposed to use my IP address in the script command?

Easy enough to do, I ran:
C:\> cscript rkdetect.vbs 192.168.0.101
Which reported:

Query services by WMI...
Detected 96 services
Query services by SC...
Detected 96 services
Finding hidden services...

Possible rootkit found: FGLRYUtil - FGLRYUtil
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FGLRYUtil
  TYPE : 110 WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL : 0 IGNORE
  BINARY_PATH_NAME :
   C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
  LOAD_ORDER_GROUP :
  TAG : 0
  DISPLAY_NAME : FGLRYUTIL
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem

Done

Hmmmnm Did we find a hidden rootkit?

Running "GetServices" from
http://www.bleepingcomputer.com/files/getservice.php combined with the
SysInternals psservice.exe reveals:

C:\> psservice config > getservice.txt
C:\> type getservice.txt

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
... blah blah blah ...
SERVICE_NAME: FGLRYUtil
(null)
        TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
        START_TYPE : 2 AUTO_START
        ERROR_CONTROL : 0 IGNORE
        BINARY_PATH_NAME :
        C:\Program Files\ATI Technologies\Fire GL Control
Panel\atiisrgl.exe
        LOAD_ORDER_GROUP :
        TAG : 0
        DISPLAY_NAME : FGLRYUTIL
        DEPENDENCIES :
        SERVICE_START_NAME: LocalSystem
... blah blah blah ...
SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
        TYPE : 20 WIN32_SHARE_PROCESS
        START_TYPE : 3 DEMAND_START
        ERROR_CONTROL : 1 NORMAL
        BINARY_PATH_NAME :
          C:\WINDOWS\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP :
        TAG : 0
        DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
        DEPENDENCIES :
        SERVICE_START_NAME: LocalSystem
... blah blah blah ...

I'm not sure what to make of this but I did run the suggested command:
C:\> sc \\%computername% query state= all
Which reported:
... blah blah blah ...
SERVICE_NAME: Wmi
DISPLAY_NAME: Windows Management Instrumentation Driver Extensions
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE : 1077 (0x435)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

... blah blah blah ...

> RKDetect relies on the WMI service being able to run. Is there any chance
> you disabled it? As you probably already know, you can right-click on My
> Computer and left-click on Manage, Services to check.

I'm confused about this as the "Computer Management" console reports:
Windows Management Instrumentation Started Automatic Local System
Windows Management Instrumentation Driver Extensions <blank> Manual
Local System

Which WMI above is the one in question?
Does it look like it's operating properly to you?

So many questions, so much to learn,
Pamela Fischer

Next message: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"

Previous message: w_tom: "Re: brown-out"
In reply to: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
Next in thread: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
Reply: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Download freeware RKR scanning software (detect Sony rootkit & others)
... Query services by WMI... ... Possible rootkit found: FGLRYUtil - FGLRYUtil ... blah blah blah ... ... Windows Management Instrumentation Driver Extensions ...
(microsoft.public.security)
Re: Download freeware RKR scanning software (detect Sony rootkit & others)
... Query services by WMI... ... Possible rootkit found: FGLRYUtil - FGLRYUtil ... blah blah blah ... ... Windows Management Instrumentation Driver Extensions ...
(alt.computer.security)