Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed - Zepter Software
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Zepter Software

 Post Reply Post Reply
Author
Message
mn19522 View Drop Down
Newbie
Newbie
Avatar

Joined: 20 May 2006
Location: United States
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote mn19522 Quote  Post ReplyReply Direct Link To This Post Topic: Zepter Software
    Posted: 21 May 2006 at 9:58pm

Hello, I am experiencing the nastiness of Zepter Software rootkit.  I understand that it is associated with and installed when the program AnyDVD that is sold by SlySoft is used.  Also the Sysinternals program RegDelNull will remove it.  My problem is that when I run the exe to start the program the black box that you use to enter the deletion statement appears and disappears in an eye blink and I do not know why or how to correct it so that I can delete the rootkit.  Another problem is that each time you use AnyDVD, the root kit is reinstalled.  Is sysinternals developing or has available software that would go further than Rootkit Revealer that could examine a null key and give the computer user the opportunity to void the installation?

Thanks to one and all who respond to this problem.  Sincerely, M



Edited by mn19522 - 21 May 2006 at 10:01pm
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2006 at 2:09am
Quote My problem is that when I run the exe to start the program the black box that you use to enter the deletion statement appears and disappears in an eye blink

That's because you need to run RegDelNull from a Command Prompt, complete with command line parameters. Or from a shortcut where you have manually appended those parameters into the Target box of the shortcut's properties.

You can't "enter the deletion statement" once the prog has started. Clicking on the exe in Explorer will just run it without parameters, so it will do nothing.

Quote Is sysinternals developing or has available software that would go further than Rootkit Revealer that could examine a null key and give the computer user the opportunity to void the installation?

You're talking here about real-time protection. There a number of anti-malware apps which can guard against unwanted registry modification.

Edited by namrehto - 22 May 2006 at 2:11am
Gil
Back to Top
mn19522 View Drop Down
Newbie
Newbie
Avatar

Joined: 20 May 2006
Location: United States
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote mn19522 Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2006 at 4:00am

I Just spent half an hour composing this and something wiped it out before I could post it so here goes again.  As previously noted, when I try to run the removal program it appears and disappears before I can use it.  I have no idea what is causing this, but it is quite frustrating. I think I understand now.  I should cut and paste the entry in the run area of start? 

I run 17 different scanners at all times during the day, 24 hours a day, none at the same time.  None of them, both purchased and free from reliable sources, have identified this rootkit much less protected the computer from infection or reinfection.  Ihave written to each of the companies and informed them of this problem.  It will be interesting to see how they respond.  Could you please provide me with the names of some of this software?

Here is something I think all will enjoy reading.  I wrote to SlySoft about this problem.  I fairly quickly received a response, not quite what I asked so I wrote again with the suggestion that they peruse this forum.  Here is the correspondence so far.

 mn19522@yahoo.com wrote:

"I am very, very disappointed in you.  I have a rootkit called zepter software on my system that I cannot get rid of.  Reading on the internet tells me that you (your software) your developers added this without my knowledge or permission.  Are you pulling a Sony?  After I paid good money for three of your packages that up until now I have been very pleased with all of the software.
  
Exactly what does this rootkit do?  What information is it sending to you or the rootkit's instructions tell it to send?
  
Please answer as soon as possible.  If you are going to tell me to read the EULA, I will, but you have at least a moral responsibility to your paying customers to not do terrible things such as installing rootkits.  Sincerely, M"

SlySoft Responded:

Hi,

It is no kind of rootkit software. It is part of our license key system
and will not harm your PC.

Best regards,

John Smith
Customer Support

I responded:

Hi John,

You need to check out the forum under logs zepter software at sysinternals.com.  Your company is getting a lot of bad press.  Why is this not explained when the key is provided.  Is it collecting or sending any information about me or my computer to any company without my express approval.  What is Zepter Software?  Why this name? 

Thank you, I appreciate your time, Sincerely M

 

It will be interesting now to see what forum members have to say about the response from SlySoft.  Take care, thanks for your help, M

 

 

< id=kpfLog style="DISPLAY: none" src="http://127.0.0.1:44501/pl.?START_LOG" onload=destroy(this) SuperAdBlocker_="0"> < =text/>

Edited by mn19522 - 22 May 2006 at 4:48am
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2006 at 5:24am
If the RKR discrepancy report is like the one posted here, then it's not a rootkit as such. SlySoft's response is actually correct. By embedding nulls in the registry key name they make the key impossible to edit in Regedit, thereby protecting it from tampering. RKR flags this up because embedding nulls is a way in which malware could potentially hide information.

Your system is okay. But if you did want to remove that registry key then - if the RKR discrepancy report is like the one posted here - you would need to use the command 'regdelnull HKU -s'.

If you wanted to use the Start->Run box you would need to paste in:

"C:\<path_to_folder_containing_regdelnull>\regdelnull" HKU -s

substituting for C:\<path_to_folder_containing_regdelnull> appropriately, e.g. if regdelnull.exe is located on your desktop, you would use:

"C:\Documents and Settings\<username>\Desktop\regdelnull" HKU -s

where <username> is your login username

Edited by namrehto - 22 May 2006 at 5:26am
Gil
Back to Top
mn19522 View Drop Down
Newbie
Newbie
Avatar

Joined: 20 May 2006
Location: United States
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote mn19522 Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2006 at 6:33am
< id=kpfLog style="DISPLAY: none" src="http://127.0.0.1:44501/pl.?START_LOG" onload=destroy(this) SuperAdBlocker_="0"> < =text/>
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2006 at 7:54am
Originally posted by mn19522 mn19522 wrote:

< id=kpfLog style="DISPLAY: none" src="http://127.0.0.1:44501/pl.?START_LOG" onload=destroy(this) SuperAdBlocker_="0"> < =text/>

You seem to be having trouble posting. Since the HTML next to your posts refers to "Sunbelt Kerio Popup Killer" you might want to disable this temporarily.
Gil
Back to Top
mn19522 View Drop Down
Newbie
Newbie
Avatar

Joined: 20 May 2006
Location: United States
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote mn19522 Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2006 at 8:30am

So they are not actually collecting any data or information that would allow them to do anything on the computer, what a relief.  Since this thing keeps reinstalling with use, there is not much sense in pursuing it as a rootkit which it technically is not.

Thank you much for all of your help and information.  I appreciate your time.  Sincerely, M

Back to Top
sometimgeek View Drop Down
Newbie
Newbie
Avatar

Joined: 09 June 2006
Location: United States
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote sometimgeek Quote  Post ReplyReply Direct Link To This Post Posted: 09 June 2006 at 9:28pm
Hi, I have tried all the fixed offered in the forums about removing Zepter and none have worked for me. I thought about it awhile and decided to try system restore to the day before anydvd was installed and that removed the zepter software reg entries for me. It may not work for you but at least give it try.
Back to Top
mn19522 View Drop Down
Newbie
Newbie
Avatar

Joined: 20 May 2006
Location: United States
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote mn19522 Quote  Post ReplyReply Direct Link To This Post Posted: 09 June 2006 at 9:42pm
I have been in touch with Microsoft security at the second tier.  They checked Zepter out as far as they could and determined that it is a form of license protection that other software developers and vendors are starting to use.  Unfortunately, each time the program is called or the system is rebooted the Zepter flag is reset and installed.  As long as nothing is damaged and nothing is sent back to anyone I am not going to bother with it anymore.  I will let this 'sleeping dog' lay.  Sincerely, M < =text/>
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down