Rootkit detection and removal

Discussion in 'Computer Support' started by geermeister@gmail.com, Mar 12, 2006.

  1. Guest

    I understand that rootkits for Windows can infect not only at the user
    level but also at the kernel level. I also understand that one method
    of detection and removal is to use a Linux distro where in the OS is
    bootable and functional from the CD, such as Helix.

    Will this work for Windows XP? Where do I get such an OS on CD mailed
    to me and instructions on how to use it to scan for rootkits? I want
    the best Linux OS and tools for the job, ones that will check both at
    the user and kernel level.

    Also, if this won't work, could I use other tools that would detect
    both by installing them on a separate, known good computer, networking
    it to the suspect computer and running the tools while the potentially
    infected box is in either XP or perhaps DOS mode?

    I know that, in addition to all this, I will have to wipe the hdd and
    reinstall from scratch. But, I first want to make sure there actually
    is a rootkit on the system before I go to all that trouble, since this
    is a needed work computer in my home office and reinstalling s/w and
    pulling data from the external hdd will be time consuming.

    In addition, this is one of those IBM laptops where the information
    normally found on a restore CD is on the hdd - on a separate partition
    or some such thing I believe. I need to ask whether that portion of the
    hdd could be infected such that restoring from there would only bring
    the rootkit back?

    If so, how could one deal with that?

    PS-If you've read this far, note that I have had only symptoms of my
    cursor jumping up higher in the word text while I am typing and in some
    cases not being able to open multiple highlighted e-mails from a folder
    or in OE. I also had one small trace of something that could
    potentially have been part of a rootkit found and removed by Webroot
    Spy Sweeper.

    I ran the freeware RootkitRevealer and it found nothing. But, I
    understand that such a tool is not thorough enough.

    Thanks again for reading all this and I hope you can help.

    Best,
    David
     
    , Mar 12, 2006
    #1
    1. Advertising

  2. Trax Guest

    "" <> wrote:

    |>I understand that rootkits for Windows can infect not only at the user
    |>level but also at the kernel level. I also understand that one method
    |>of detection and removal is to use a Linux distro where in the OS is
    |>bootable and functional from the CD, such as Helix.
    |

    You could use knoppix http://www.knoppix.org/ (It's free) or Helix I
    guess, You could even use a Dual boot system to search for most
    Rootkits.

    Assuming a rootkit resides in a directory, you can run a TREE command
    from your system, then from Linux liveCD; The Tree command would have
    to be the same command or give the same output for both win & linux

    Take both saved tree outputs and use something like UltraEdit to
    compare the two files and see if there is any difference (A $sys$
    directory)

    Find a difference, then you figure out how to get rid of it, (google
    the directories files)

    -It's how I'd do it, if I thought I had a problem-

    |>Will this work for Windows XP? Where do I get such an OS on CD mailed
    |>to me and instructions on how to use it to scan for rootkits? I want
    |>the best Linux OS and tools for the job, ones that will check both at
    |>the user and kernel level.
    |>
    |

    --
    http://www.davesdaily.com/pictures/pictures10/568-oh-my-god.jpg
     
    Trax, Mar 12, 2006
    #2
    1. Advertising

  3. <> wrote in message
    news:...
    >I understand that rootkits for Windows can infect not only at the user
    > level but also at the kernel level. I also understand that one method
    > of detection and removal is to use a Linux distro where in the OS is
    > bootable and functional from the CD, such as Helix.
    >
    > Will this work for Windows XP? Where do I get such an OS on CD mailed
    > to me and instructions on how to use it to scan for rootkits? I want
    > the best Linux OS and tools for the job, ones that will check both at
    > the user and kernel level.
    >
    > Also, if this won't work, could I use other tools that would detect
    > both by installing them on a separate, known good computer, networking
    > it to the suspect computer and running the tools while the potentially
    > infected box is in either XP or perhaps DOS mode?
    >


    If you have an indection on the machine, then you need to be on that machine
    with the tools looking.


    > I know that, in addition to all this, I will have to wipe the hdd and
    > reinstall from scratch. But, I first want to make sure there actually
    > is a rootkit on the system before I go to all that trouble, since this
    > is a needed work computer in my home office and reinstalling s/w and
    > pulling data from the external hdd will be time consuming.


    Long

    http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

    Short

    http://tinyurl.com/klw1



    >
    > In addition, this is one of those IBM laptops where the information
    > normally found on a restore CD is on the hdd - on a separate partition
    > or some such thing I believe. I need to ask whether that portion of the
    > hdd could be infected such that restoring from there would only bring
    > the rootkit back?
    >
    > If so, how could one deal with that?
    >
    > PS-If you've read this far, note that I have had only symptoms of my
    > cursor jumping up higher in the word text while I am typing and in some
    > cases not being able to open multiple highlighted e-mails from a folder
    > or in OE. I also had one small trace of something that could
    > potentially have been part of a rootkit found and removed by Webroot
    > Spy Sweeper.
    >
    > I ran the freeware RootkitRevealer and it found nothing. But, I
    > understand that such a tool is not thorough enough.
    >
    > Thanks again for reading all this and I hope you can help.


    The makers of Process Explorer in the link above make a free
    RootkitReaveler.

    Duane :)
     
    K-Man hater Duane, Mar 12, 2006
    #3
  4. gravity Guest

    using an AV like Kaspersky and a Windows Boot CD might be one way to find
    it. there are also several rootkit detection tools e.g. the ones on
    rootkit.com. and a rootkit scanner from 3W design.

    Gravity
     
    gravity, Mar 12, 2006
    #4
  5. Mara Guest

    On 11 Mar 2006 16:27:13 -0800, "" <>
    wrote:

    >I understand that rootkits for Windows can infect not only at the user
    >level but also at the kernel level. I also understand that one method
    >of detection and removal is to use a Linux distro where in the OS is
    >bootable and functional from the CD, such as Helix.
    >
    >Will this work for Windows XP? Where do I get such an OS on CD mailed
    >to me and instructions on how to use it to scan for rootkits? I want
    >the best Linux OS and tools for the job, ones that will check both at
    >the user and kernel level.
    >
    >Also, if this won't work, could I use other tools that would detect
    >both by installing them on a separate, known good computer, networking
    >it to the suspect computer and running the tools while the potentially
    >infected box is in either XP or perhaps DOS mode?


    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    <snip>

    --
    To install WordBlurf 9.0 on a network, place the write-enabled installation
    diskette in drive A and type A:netinstall. WordBlurf 9.0 will install itself
    on every machine on your network and nothing will go wrong. Really. We swear.
    -A user about to discover the real nature of networking
     
    Mara, Mar 12, 2006
    #5
  6. Plato Guest

    Plato, Mar 12, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David H. Lipman
    Replies:
    34
    Views:
    3,510
    Jim Byrd
    Sep 25, 2005
  2. Blue Event Horizon
    Replies:
    6
    Views:
    3,170
    raincoater
    Sep 9, 2006
  3. Replies:
    18
    Views:
    6,922
    Sue Perficial
    Nov 23, 2005
  4. Pamela Fischer
    Replies:
    4
    Views:
    884
  5. Woger

    Rootkit removal.

    Woger, Apr 19, 2009, in forum: NZ Computing
    Replies:
    11
    Views:
    734
    Peter Lowrie
    Apr 22, 2009
Loading...

Share This Page