«

I understand that rootkits for Windows can infect not only at the user
level but also at the kernel level. I also understand that one method
of detection and removal is to use a Linux distro where in the OS is
bootable and functional from the CD, such as Helix.

Will this work for Windows XP? Where do I get such an OS on CD mailed
to me and instructions on how to use it to scan for rootkits? I want
the best Linux OS and tools for the job, ones that will check both at
the user and kernel level.

Also, if this won't work, could I use other tools that would detect
both by installing them on a separate, known good computer, networking
it to the suspect computer and running the tools while the potentially
infected box is in either XP or perhaps DOS mode?

I know that, in addition to all this, I will have to wipe the hdd and
reinstall from scratch. But, I first want to make sure there actually
is a rootkit on the system before I go to all that trouble, since this
is a needed work computer in my home office and reinstalling s/w and
pulling data from the external hdd will be time consuming.

In addition, this is one of those IBM laptops where the information
normally found on a restore CD is on the hdd - on a separate partition
or some such thing I believe. I need to ask whether that portion of the
hdd could be infected such that restoring from there would only bring
the rootkit back?

If so, how could one deal with that?

PS-If you've read this far, note that I have had only symptoms of my
cursor jumping up higher in the word text while I am typing and in some
cases not being able to open multiple highlighted e-mails from a folder
or in OE. I also had one small trace of something that could
potentially have been part of a rootkit found and removed by Webroot
Spy Sweeper.

I ran the freeware RootkitRevealer and it found nothing. But, I
understand that such a tool is not thorough enough.

Thanks again for reading all this and I hope you can help.

Best,
David

"" <> wrote:

|>I understand that rootkits for Windows can infect not only at the user
|>level but also at the kernel level. I also understand that one method
|>of detection and removal is to use a Linux distro where in the OS is
|>bootable and functional from the CD, such as Helix.
|

You could use knoppix http://www.knoppix.org/ (It's free) or Helix I
guess, You could even use a Dual boot system to search for most
Rootkits.

Assuming a rootkit resides in a directory, you can run a TREE command
from your system, then from Linux liveCD; The Tree command would have
to be the same command or give the same output for both win & linux

Take both saved tree outputs and use something like UltraEdit to
compare the two files and see if there is any difference (A $sys$
directory)

Find a difference, then you figure out how to get rid of it, (google
the directories files)

-It's how I'd do it, if I thought I had a problem-

|>Will this work for Windows XP? Where do I get such an OS on CD mailed
|>to me and instructions on how to use it to scan for rootkits? I want
|>the best Linux OS and tools for the job, ones that will check both at
|>the user and kernel level.
|>
|

--
http://www.davesdaily.com/pictures/p...-oh-my-god.jpg

<> wrote in message
news: ups.com...
>I understand that rootkits for Windows can infect not only at the user
> level but also at the kernel level. I also understand that one method
> of detection and removal is to use a Linux distro where in the OS is
> bootable and functional from the CD, such as Helix.
>
> Will this work for Windows XP? Where do I get such an OS on CD mailed
> to me and instructions on how to use it to scan for rootkits? I want
> the best Linux OS and tools for the job, ones that will check both at
> the user and kernel level.
>
> Also, if this won't work, could I use other tools that would detect
> both by installing them on a separate, known good computer, networking
> it to the suspect computer and running the tools while the potentially
> infected box is in either XP or perhaps DOS mode?
>

If you have an indection on the machine, then you need to be on that machine
with the tools looking.


> I know that, in addition to all this, I will have to wipe the hdd and
> reinstall from scratch. But, I first want to make sure there actually
> is a rootkit on the system before I go to all that trouble, since this
> is a needed work computer in my home office and reinstalling s/w and
> pulling data from the external hdd will be time consuming.

Long

http://www.windowsecurity.com/articl...vironment.html

Short

http://tinyurl.com/klw1



>
> In addition, this is one of those IBM laptops where the information
> normally found on a restore CD is on the hdd - on a separate partition
> or some such thing I believe. I need to ask whether that portion of the
> hdd could be infected such that restoring from there would only bring
> the rootkit back?
>
> If so, how could one deal with that?
>
> PS-If you've read this far, note that I have had only symptoms of my
> cursor jumping up higher in the word text while I am typing and in some
> cases not being able to open multiple highlighted e-mails from a folder
> or in OE. I also had one small trace of something that could
> potentially have been part of a rootkit found and removed by Webroot
> Spy Sweeper.
>
> I ran the freeware RootkitRevealer and it found nothing. But, I
> understand that such a tool is not thorough enough.
>
> Thanks again for reading all this and I hope you can help.

The makers of Process Explorer in the link above make a free
RootkitReaveler.

Duane

using an AV like Kaspersky and a Windows Boot CD might be one way to find
it. there are also several rootkit detection tools e.g. the ones on
rootkit.com. and a rootkit scanner from 3W design.

Gravity

On 11 Mar 2006 16:27:13 -0800, "" <>
wrote:

>I understand that rootkits for Windows can infect not only at the user
>level but also at the kernel level. I also understand that one method
>of detection and removal is to use a Linux distro where in the OS is
>bootable and functional from the CD, such as Helix.
>
>Will this work for Windows XP? Where do I get such an OS on CD mailed
>to me and instructions on how to use it to scan for rootkits? I want
>the best Linux OS and tools for the job, ones that will check both at
>the user and kernel level.
>
>Also, if this won't work, could I use other tools that would detect
>both by installing them on a separate, known good computer, networking
>it to the suspect computer and running the tools while the potentially
>infected box is in either XP or perhaps DOS mode?

http://www.sysinternals.com/Utilitie...tRevealer.html

<snip>

--
To install WordBlurf 9.0 on a network, place the write-enabled installation
diskette in drive A and type A:netinstall. WordBlurf 9.0 will install itself
on every machine on your network and nothing will go wrong. Really. We swear.
-A user about to discover the real nature of networking

wrote:
>
> I understand that rootkits for Windows can infect not only at the user

http://www.bootdisk.com/bootlist/242.htm#4