Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Rootkit detection and removal

Reply
Thread Tools

Rootkit detection and removal

 
 
geermeister@gmail.com
Guest
Posts: n/a
 
      03-12-2006
I understand that rootkits for Windows can infect not only at the user
level but also at the kernel level. I also understand that one method
of detection and removal is to use a Linux distro where in the OS is
bootable and functional from the CD, such as Helix.

Will this work for Windows XP? Where do I get such an OS on CD mailed
to me and instructions on how to use it to scan for rootkits? I want
the best Linux OS and tools for the job, ones that will check both at
the user and kernel level.

Also, if this won't work, could I use other tools that would detect
both by installing them on a separate, known good computer, networking
it to the suspect computer and running the tools while the potentially
infected box is in either XP or perhaps DOS mode?

I know that, in addition to all this, I will have to wipe the hdd and
reinstall from scratch. But, I first want to make sure there actually
is a rootkit on the system before I go to all that trouble, since this
is a needed work computer in my home office and reinstalling s/w and
pulling data from the external hdd will be time consuming.

In addition, this is one of those IBM laptops where the information
normally found on a restore CD is on the hdd - on a separate partition
or some such thing I believe. I need to ask whether that portion of the
hdd could be infected such that restoring from there would only bring
the rootkit back?

If so, how could one deal with that?

PS-If you've read this far, note that I have had only symptoms of my
cursor jumping up higher in the word text while I am typing and in some
cases not being able to open multiple highlighted e-mails from a folder
or in OE. I also had one small trace of something that could
potentially have been part of a rootkit found and removed by Webroot
Spy Sweeper.

I ran the freeware RootkitRevealer and it found nothing. But, I
understand that such a tool is not thorough enough.

Thanks again for reading all this and I hope you can help.

Best,
David

 
Reply With Quote
 
 
 
 
Trax
Guest
Posts: n/a
 
      03-12-2006
"(E-Mail Removed)" <(E-Mail Removed)> wrote:

|>I understand that rootkits for Windows can infect not only at the user
|>level but also at the kernel level. I also understand that one method
|>of detection and removal is to use a Linux distro where in the OS is
|>bootable and functional from the CD, such as Helix.
|

You could use knoppix http://www.knoppix.org/ (It's free) or Helix I
guess, You could even use a Dual boot system to search for most
Rootkits.

Assuming a rootkit resides in a directory, you can run a TREE command
from your system, then from Linux liveCD; The Tree command would have
to be the same command or give the same output for both win & linux

Take both saved tree outputs and use something like UltraEdit to
compare the two files and see if there is any difference (A $sys$
directory)

Find a difference, then you figure out how to get rid of it, (google
the directories files)

-It's how I'd do it, if I thought I had a problem-

|>Will this work for Windows XP? Where do I get such an OS on CD mailed
|>to me and instructions on how to use it to scan for rootkits? I want
|>the best Linux OS and tools for the job, ones that will check both at
|>the user and kernel level.
|>
|

--
http://www.davesdaily.com/pictures/p...-oh-my-god.jpg
 
Reply With Quote
 
 
 
 
K-Man hater Duane
Guest
Posts: n/a
 
      03-12-2006

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>I understand that rootkits for Windows can infect not only at the user
> level but also at the kernel level. I also understand that one method
> of detection and removal is to use a Linux distro where in the OS is
> bootable and functional from the CD, such as Helix.
>
> Will this work for Windows XP? Where do I get such an OS on CD mailed
> to me and instructions on how to use it to scan for rootkits? I want
> the best Linux OS and tools for the job, ones that will check both at
> the user and kernel level.
>
> Also, if this won't work, could I use other tools that would detect
> both by installing them on a separate, known good computer, networking
> it to the suspect computer and running the tools while the potentially
> infected box is in either XP or perhaps DOS mode?
>


If you have an indection on the machine, then you need to be on that machine
with the tools looking.


> I know that, in addition to all this, I will have to wipe the hdd and
> reinstall from scratch. But, I first want to make sure there actually
> is a rootkit on the system before I go to all that trouble, since this
> is a needed work computer in my home office and reinstalling s/w and
> pulling data from the external hdd will be time consuming.


Long

http://www.windowsecurity.com/articl...vironment.html

Short

http://tinyurl.com/klw1



>
> In addition, this is one of those IBM laptops where the information
> normally found on a restore CD is on the hdd - on a separate partition
> or some such thing I believe. I need to ask whether that portion of the
> hdd could be infected such that restoring from there would only bring
> the rootkit back?
>
> If so, how could one deal with that?
>
> PS-If you've read this far, note that I have had only symptoms of my
> cursor jumping up higher in the word text while I am typing and in some
> cases not being able to open multiple highlighted e-mails from a folder
> or in OE. I also had one small trace of something that could
> potentially have been part of a rootkit found and removed by Webroot
> Spy Sweeper.
>
> I ran the freeware RootkitRevealer and it found nothing. But, I
> understand that such a tool is not thorough enough.
>
> Thanks again for reading all this and I hope you can help.


The makers of Process Explorer in the link above make a free
RootkitReaveler.

Duane


 
Reply With Quote
 
gravity
Guest
Posts: n/a
 
      03-12-2006
using an AV like Kaspersky and a Windows Boot CD might be one way to find
it. there are also several rootkit detection tools e.g. the ones on
rootkit.com. and a rootkit scanner from 3W design.

Gravity


 
Reply With Quote
 
Mara
Guest
Posts: n/a
 
      03-12-2006
On 11 Mar 2006 16:27:13 -0800, "(E-Mail Removed)" <(E-Mail Removed)>
wrote:

>I understand that rootkits for Windows can infect not only at the user
>level but also at the kernel level. I also understand that one method
>of detection and removal is to use a Linux distro where in the OS is
>bootable and functional from the CD, such as Helix.
>
>Will this work for Windows XP? Where do I get such an OS on CD mailed
>to me and instructions on how to use it to scan for rootkits? I want
>the best Linux OS and tools for the job, ones that will check both at
>the user and kernel level.
>
>Also, if this won't work, could I use other tools that would detect
>both by installing them on a separate, known good computer, networking
>it to the suspect computer and running the tools while the potentially
>infected box is in either XP or perhaps DOS mode?


http://www.sysinternals.com/Utilitie...tRevealer.html

<snip>

--
To install WordBlurf 9.0 on a network, place the write-enabled installation
diskette in drive A and type A:netinstall. WordBlurf 9.0 will install itself
on every machine on your network and nothing will go wrong. Really. We swear.
-A user about to discover the real nature of networking
 
Reply With Quote
 
Plato
Guest
Posts: n/a
 
      03-12-2006
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
>
> I understand that rootkits for Windows can infect not only at the user


http://www.bootdisk.com/bootlist/242.htm#4

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rootkit removal. Woger NZ Computing 11 04-22-2009 03:26 PM
Any rootkit prevention, detection and/or repair suitable for use by the average user? Blue Event Horizon Computer Security 6 09-09-2006 12:23 AM
Best way to create clean Windows XP boot cd for running rootkit detection pamelafiischer@yahoo.com Computer Support 18 11-23-2005 11:19 PM
Microsoft Strider GhostBuster Rootkit Detection Software Download Pamela Fischer Computer Support 4 11-21-2005 02:21 PM
Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM" David H. Lipman Computer Security 34 09-24-2005 11:15 PM



Advertisments