Recent Posts

6751

General Software Discussion / Re: Detecting RootKits

« Last post by Curt on July 10, 2007, 07:26 AM »

Thanks for sharing, Nod5 

(.. hmm, that didn't come out all right; somehow it sounded familiar wrong
- anyone who have been at a AAA meeting will understand what I mean..)   

speaking of it: in my setup it was Alcohol 52%... 
 
- not Daemon Tools.

 

6752

Found Deals and Discounts / Re: RETURNIL - Giveawayoftheday

« Last post by Curt on July 09, 2007, 03:36 AM »

Maybe so, f0dder, but I lost interest in Returnil when I found out that you cannot save anything to real disk, when Returnil is ON, but will have to bookmark*, reboot, and come back for a new download and install/save - with Returnil OFF. This is goodbye Returnil to me. The other apps in this category will AFAIK all offer ON/OFF without rebooting.

[Edit: * = you cannot even keep a bookmark!

6753

General Software Discussion / Re: Detecting RootKits

« Last post by Curt on July 09, 2007, 03:05 AM »

Talking about PREVENTION of rootkits one should of course mention today's GAOTD:

For those who have been looking at returnil, it is todays giveaway, at http://www.giveawayoftheday.com/ for the next 23 and a bit hours

-Grorgy (July 09, 2007, 02:16 AM)

- even though it is strange that Returnil is free today when it was FREE only a week ago!

Hello everyone,
Thank you for your interest in Returnil. I am the official US rep for the company and look forward to help answering your questions about the software.

For those concerned over cost of licensing, please be aware that Returnil is now FREE for personal home use on a single computer.

Home page: http://www.returnilv...system.com/index.htm
Personal Edition (FREE): http://www.returnilv...iles/rvspersonal.htm
___
With Kind Regards
Mike

-Coldmoon (June 28, 2007, 12:05 PM)

But prevent rootkits it will.

6754

Found Deals and Discounts / Re: RETURNIL - Giveawayoftheday

« Last post by Curt on July 09, 2007, 02:49 AM »

A litttle strange that it is free today when it was FREE only a week ago!

Hello everyone,
Thank you for your interest in Returnil. I am the official US rep for the company and look forward to help answering your questions about the software.

For those concerned over cost of licensing, please be aware that Returnil is now FREE for personal home use on a single computer.

Home page: http://www.returnilv...system.com/index.htm
Personal Edition (FREE): http://www.returnilv...iles/rvspersonal.htm
___
With Kind Regards
Mike

-Coldmoon (June 28, 2007, 12:05 PM)

6755

General Software Discussion / Re: Detecting RootKits

« Last post by Curt on July 08, 2007, 04:59 PM »

http://www.antirootk...m/software/index.htm : wow! Thanks, laughinglizard ! 

Rootkit Detection & Removal Software







But more important:

Rootkit Prevention Software:

AntiHook AppDefend Cyberhawk DefenseWall HIPS Dynamic Security Agent Exe LockDown
GeSWall Personal Edition Neoava Guard ProcessGuard SocketShield ThreatMon

SocketShield is now $30 for 1 year LinkScanner Pro!; or 1 year FREE: http://www.trialpay....b594&tid=6rGU5--

6756

Found Deals and Discounts / Re: Serial Dealers - a new discount software site

« Last post by Curt on July 08, 2007, 01:10 PM »

I might spend €5 now, because they have two apps I would like to have, but for now the supply is way too limited to think about any €25 membership - though such members are being promised the choice between thousands of programs:

There is a limited amount of licenses initially available to basic members, while gold members have access to 1000s of licenses and should not have problems making their purchase.

- "thousands", they say, but they only name ten (10) programs! So where are the remaining? I have searched their site, and they don't have more than these ten programs, I dare to say. I understand that they are brand new on the market (Launch Day 2007-06-23) and cannot yet have a large catalogue - but only ten? I say the gold will have to wait...


Clever detail that you have to buy 5 credit points but can only spend 2x2 = 4 ... 

[Edit: You will have to look deep into the rules to figure out why you can buy the basic membership for €5 and get 5 credit points, but will have to pay €25 to get merely 15 credit points if you want the gold...]

6757

Living Room / Re: When you make your 100'th Post

« Last post by Curt on July 07, 2007, 07:35 AM »

Now, would you know:
I made my post number 777 on the very date 7 - 7 - 7

 
 
Isn't that something!


Sadly I didn't notice until later:

[ Invalid Attachment ]

-Curt (July 06, 2007, 06:59 PM)

6758

General Software Discussion / Re: Detecting RootKits

« Last post by Curt on July 07, 2007, 07:26 AM »

F-secure blacklight is part of my F-secure Anti-Virus for WorkStations 7 installation ..

-justice (July 07, 2007, 07:07 AM)

http://www.f-secure.com/home_user/ - but pricey, isn't it:


---

BTW:

Today justice is a thousand posts behind Darwin...(??):

#300

-Curt (July 07, 2007, 07:16 AM)

  more justice!

6759

Living Room / Re: When you make your 100'th Post

« Last post by Curt on July 07, 2007, 07:16 AM »

Today justice is a thousand posts behind Darwin...(??):

6760

General Software Discussion / Re: Detecting RootKits

« Last post by Curt on July 07, 2007, 06:06 AM »

You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.n.../RkU3.30.150.400.rar ...

-SKA (July 07, 2007, 01:20 AM)

Thanks a lot for pointing to RkUnhook (RkU), SKA 
This Russian program (exe name: 7lSQusUji) is by far the most advanced in this group! The first scanning result is literally ready in a second (!), but the final Report took more than a hour to produce. I would like to show a screenshot of the scrolled report window, but the RkU window is not a standard GUI object that my FastStone Capture can recognize, so I will insert a fraction of the 546 KB Report text file (I have deleted 99%). Here is first a screenshot:

Fraction of 546KB Report

RkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.30.150.400
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF4D490B0
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtClose
Actual Address 0xF4C814FC
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateFile
Actual Address 0xF4D36460
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtCreateKey
Actual Address 0xF4C80E56
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateProcess

(part deleted)

==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x845C9660

Process: C:\PROGRA~1\Webshots\Webshots.scr
Process Id: 200
EPROCESS Address: 0x83D34B70

Process: C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
Process Id: 248
EPROCESS Address: 0x82BDA6D8

Process: C:\Programmer\Agnitum\Outpost Firewall\outpost.exe
Process Id: 340
EPROCESS Address: 0x82BB68C8

Process: C:\Programmer\WiredPlane\WireKeys\WireKeys.exe
Process Id: 460
EPROCESS Address: 0x83F34688

Process: C:\Programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
Process Id: 480
EPROCESS Address: 0x83D55440

Process: C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process Id: 500
EPROCESS Address: 0x83433020

Process: C:\Programmer\StudioLine\NMSAccess.exe
Process Id: 504
EPROCESS Address: 0x83D2DA48

Process: C:\Programmer\Oront Burning Kit 2\nmsaccess.exe
Process Id: 524
EPROCESS Address: 0x83DCB930

Process: C:\WINDOWS\system32\smss.exe
Process Id: 584
EPROCESS Address: 0x8419F4E8

Process: C:\Programmer\ESET\nod32krn.exe
Process Id: 612
EPROCESS Address: 0x82BB8460

Process: C:\Programmer\Backup4all\IoctlSvc.exe
Process Id: 640
EPROCESS Address: 0x82BB18B0


(part deleted)


==============================================
>Drivers
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF5FFF000
Size: 3645440 bytes

Driver: C:\WINDOWS\System32\vtdisp.dll
Address: 0xBF012000
Size: 3493888 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2060160 bytes

(part deleted)


==============================================
>Files

Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS005A8.log Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\3CTNUGG3\indexCAAQZJGR.htm Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\LI5FD9A2\indexCA7AFT75.htm Status: Hidden


Suspect File: C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf Status: Hidden

==============================================
>Hooks

IDT-->Int 0x000000B1, Type: IDT modification hook handler located in [?_unknown_code_page_?]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF7891B4C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF7891B1C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF7891B3C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF7891B28 hook handler located in [FILTNT.SYS]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x7C802367 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [wl_hook.dll]

(part deleted)

Find the program at this all Russian forum:
http://rkunhooker1.n.../RkU3.30.150.400.rar
[Edit: or at http://rkunhooker1.narod.ru/index.html in English] 
- the program is in English. I think RkU by far is the best of these four apps I have named, but the full report may be useless as it will list every DLL and EXE file on your computer, because they are handling hooks...

---

SKA; what do you hold against version 3.7 ??

6761

General Software Discussion / Detecting RootKits

« Last post by Curt on July 06, 2007, 06:59 PM »

I ran 3 rootkit detectors and got 3 very different results. I could choose to write a long story here about this and tell the details, but in the end the one thing this post really is about, is How on earth dumm users like me are supposed to handle such results? If I (by accident) haven't known any better these scannings would have made me remove several perfectly harmless programs!

Resplendence RootKit Hook Analyzer 3.00's result:




SysInternals RootkitRevealer 1.71 was no better:




F-Secure Blacklight Rootkit Eliminator (expire 1'st October 2007) gave the only trustworthy result: "0 files found":




It would be very interesting to see if security tools like Process Guard 3.4 or Anti Hook 3.0 (or the older but free 2.6) would have prevented any of these false-positive-programs from installing! ???

You can read about the rootkit problem at Gizmo's page.

6762

General Software Discussion / Re: Any FastStone fans out there?

« Last post by Curt on July 06, 2007, 11:07 AM »

It seems that 3.3 Beta 2 will search for a folder when it should be searching for a file; if one removes the filename there is no problem. lanux128 (and/or others); was/is the problem in version 3.2 with both folders and files, or files alone?
 

6763

General Software Discussion / Re: My favorite software! What's yours?

« Last post by Curt on July 06, 2007, 08:31 AM »

Thanks for explaining, f0dder.

I didn't panic, though.. 
- in fact, I have so far chosen to do nothing.

6764

General Software Discussion / Re: My favorite software! What's yours?

« Last post by Curt on July 06, 2007, 01:35 AM »

Fine tool it must be, this Registry Manager, well, almost perfect, I guess. I mean, why update a perfect program?... Or are there any other reason there has been no updates since August 2006...??
  
 

6765

General Software Discussion / Re: A question about DRM

« Last post by Curt on July 05, 2007, 05:38 PM »

My XP_Home is DRMtizied and I would like to test if I can record such a DRM protected (music-) file. Does anyone know where I can find one to download?

6766

General Software Discussion / Re: You Should Pay Me to Read This Post (It's worth it...)

« Last post by Curt on July 05, 2007, 05:26 PM »

You're right, April, it is okay in IE7 and Max too, when maximized.

--

What is "ex" in AOLex?

6767

General Software Discussion / Re: You Should Pay Me to Read This Post (It's worth it...)

« Last post by Curt on July 05, 2007, 05:17 PM »

... released - the Renegade PayPal Batch Encrypted Button Generator. Check out the page and look ..

-Renegade (October 22, 2006, 11:19 PM)

Renegade; you clearly have optimized your page for Firefox:



but this is how it is looking in my IE7:



and in my Maxthon 1.6:



You might not care for these browsers, but I thought you should know in case you didn't.

6768

General Software Discussion / Re: My favorite software! What's yours?

« Last post by Curt on July 05, 2007, 10:41 AM »

We talk very often about virtual sandboxes as if they are security devices. And I will say they are. But at the same time they might be classified as RootKits!!! This is the scanning result from another favorite of mine: RootKit Hook Analyzer 3.01 (was updated today):



One favorite that I tried but couldn't afford to buy was Registrar from the same company, Resplendence because is was €45. But during this July there is a 30% rebate. You really should think about it; I was sad I didn't have the money back then, but now it just may be affordable:

Registrar Registry Manager offers a very complete and safe solution to administrators and power users for maintaining  the registry on both their desktops and remote computers on their network.

Apart from common features, like those offered by the native Windows registry editors (regedit.exe and  regedt32.exe) this program offers a solution for backing up and restoring registries, fast background  search and replace, a bookmark editor with categories which supports key coloring and adding descriptions  to registry keys and values, detailed property pages, tools for easy navigation. The program offers multi-level undo so all registry changes can be individually undone.

The software offers a registry defragmenter, a registry monitor which logs l changes made to the registry by external programs as well as security editors which allow you to set access  restrictions on your registry keys.

Version 5.50 adds support for Windows Vista, includng the x64 editions.

http://www.resplendence.com/registrar

Take a tour at http://www.resplende...m/registrar_features

6769

General Software Discussion / Re: Delete protected index.dat files in Win XP with IE6 without reboot

« Last post by Curt on July 05, 2007, 09:03 AM »

To my understanding the biggest difference between Sandboxie (and all the others), on one side, and Returnil on the other side, is that the Sandbox family will work in (on?) a partition, but Returnil is solely working in memory. I have not yet tried Returnil myself, but I sure will, and I expect a lot of it.

And now Returnil is FREE for personal use:
http://www.returnilv...iles/rvspersonal.htm

6770

General Software Discussion / Re: Any FastStone fans out there?

« Last post by Curt on July 04, 2007, 12:25 PM »

My 3.3 Beta 2 version is like Nighted's: It will do folders but not files.

6771

General Software Discussion / Re: The GIMP/PhotoFiltre/Paint.net/etc., thoughts...

« Last post by Curt on July 04, 2007, 01:44 AM »

Thanks, mitzevo, for clarifying.

I was impressed with the collection of plugins for Paint.NET - but as time has passed bye I too must admit that I really don't use Paint.NET. Its not a bad program in anyway, it somehow just isn't right.

6772

General Software Discussion / Re: Is the Windows start menu dead?

« Last post by Curt on July 04, 2007, 12:53 AM »

Or there's ViStart for free, if you want something a bit different.

-Nighted (July 03, 2007, 01:40 PM)

- or the same but with installer: http://www.lee-soft....s/viewtopic.php?t=93

6773

General Software Discussion / Re: My favorite software! What's yours?

« Last post by Curt on July 03, 2007, 03:39 AM »

Volumouse    
Volumouse was yesterday updated to 1.5 and is now fully Vistable:

Version 1.50:

Volumouse now works under Windows Vista (both 32-bit and x64 versions)
Under Vista, there is no default mixer device anymore, but you can select the default playback and recording device in the component combo-box.
Under Vista, You can select more 6 channels, in addition to the 2 standard left and right channels.

Under Vista, changing the master volume doesn't affect the default left/right balance, as in the previous version of Windows.

All default settings are now saved into .cfg file instead of the Registry.

Added new options to "Use the wheel when" combo-box: Windows Media Center is focused, iTunes is focused, Mouse cursor is over the Vista Gadgets, GOM Player is focused, Alt+Shift are down, Alt+Ctrl are down, Ctrl+Shift are down, The cursor is on screen corners.

New option: Use hot-keys instead of the mouse wheel.

Added additional rule line (6 instead of 5 in previous versions...)

-Versions History

http://www.nirsoft.n...utils/volumouse.html
http://www.snapfiles...m/get/volumouse.html

6774

General Software Discussion / Re: Any "search this folder only" engines?

« Last post by Curt on July 02, 2007, 01:24 AM »

Curt, what is that folder size screenshot from? It does not look familiar.

-Nighted (July 01, 2007, 10:09 PM)

CFi ShellToys, http://www.shelltoysxp.com/ 

I have removed the program again, but only because it is $40 and I really can't afford it right now - it would replace a bunch of other programs.

Edit: it can do a lot more than this old image from the site is telling:

6775

General Software Discussion / Re: Advantages and disadvantages of NNTP Newsreaders

« Last post by Curt on July 01, 2007, 05:33 PM »

I tried various readers but was annoyed that I had to open the program to read the news. I much prefer to have the news delivered to my mail inbox (because Outlook is placed in Start), so now I use the old but free RSS Popper (which has not been updated for 3 years); it does the job. Edit: Integrated with the context menu: Subscribe in RSS Popper

Edit2: I have no idea what a NNTP Newsreader is.

RSS Popper is a news aggregator add-in for Outlook & Outlook Express. News items delivered directly to Outlook as e-mails. No need to use a separate program for reading RSS anymore. All RSS/RDF/Atom formats are supported.

Just download, install, set you favorite news feeds, and you're ready to go.

Features (Partial list):

* Supports MS-Outlook 2000, XP, 2003 (RSS Popper)
* Outlook Express 6 (RSS Popper for Outlook Express)
* Supports all RSS, Atom & RDF versions
* Support Podcasts
* Bloglines.com synchronization
* NewsGator Online synchronization
* Enable full page download to Outlook (i.e. Off-line view)
* OPML Import/Export
* And much more...

-Saturday, October 16, 2004

http://rsspopper.blo...om/2004/10/home.html