Rootkit Scanners?

[britmaveric]

Anyone here recommend any good rootkit scanners?

Make a long story short can't seem get microsoft firewall, update, security center ect to remain enabled. Made appropriate registry deletions and they pop backup after a reboot. I beginning to think I've gotton some nasty rootkit infection.

[Mid]

Here ya go

[phazey]

i use rkdetect and chkrootkit on my work servers - can also recommend tripwire & nessus - Nessus is pretty swanky with it's reporting.

[Guest Reimar]

Anyone here recommend any good rootkit scanners?

Make a long story short can't seem get microsoft firewall, update, security center ect to remain enabled. Made appropriate registry deletions and they pop backup after a reboot. I beginning to think I've gotton some nasty rootkit infection.

May you also download the "Sophos Anti Rootkit 1.2".

But to be sure (as much as you ever will be able!) use the Hook Explorer to check your DLL files and so on. You can download this program from here: http://www.pcworld.com/downloads/file_down...1/download.html

Same as the Sophos Anti Rootkit, the Hook Explorer is Freeware.

Works well for me and has help me a lot in the past!

[farangsay]

Here ya go

I downloaded and ran this (RootkitRevealer) and am

puzzled by the result.

I get a final page with two cryptic lines on it and

the subscript "Scan complete 2 discrepancies found".

Now maybe I'm moronic (it has been said before)

but it is not obvious what to do.

Stuff like Avast/Spybot/AdAware etc finishes with

a kill/fix it button.

This just leaves you puzzled????

[cdnvic]

Here ya go

I downloaded and ran this (RootkitRevealer) and am

puzzled by the result.

I get a final page with two cryptic lines on it and

the subscript "Scan complete 2 discrepancies found".

Now maybe I'm moronic (it has been said before)

but it is not obvious what to do.

Stuff like Avast/Spybot/AdAware etc finishes with

a kill/fix it button.

This just leaves you puzzled????

It's not meant for the casual user. What discrepancies did you find?

If you have your data backed up it's sometimes easier to format and re-install.

Before you run Rootkit revealer it's important to shut down all programs first to avoid false positives.

[Jamie]

I was under the impression that even if you did find a rootkit, the only way to truly remove it was to do a reformat. Are these scanners able to fix the problem(s) now?

[cdnvic]

I was under the impression that even if you did find a rootkit, the only way to truly remove it was to do a reformat. Are these scanners able to fix the problem(s) now?

Depending on the rootkit there are fixes for some of them, but a reformat is the best way to be sure.

[Khleerm]

I was under the impression that even if you did find a rootkit, the only way to truly remove it was to do a reformat. Are these scanners able to fix the problem(s) now?

Depending on the rootkit there are fixes for some of them, but a reformat is the best way to be sure.

In that case, please suffer this naive question from a Mac guy, if a reformat is called for, is it possible to install the new OS on top of the old, without losing data? Or is it a case of the HDD will be wiped spic and span clean of data.

The reason I ask, is that in the case of Apple's OS X we can just do a new install right over the top of the old [so to speak] whereby all the old User account files are shunted over to and preserved to the side of the new formatted drive. [Done so that if something goes amiss the old stuff is still accessible]

Edited January 20, 2007 by Khleerm

[cdnvic]

The idea is to get the drive completely clean so it involves wiping the disk, data and all. A rootkit can fool an OS into thinking just about anything. Fortunately there aren't any Mac rootkits in the wild that I know of. Although there are unix variants that it may be vulnerable to but I doubt it.

[Hmmm]

Recent rootkit detector reviews

http://www.pcworld.com/article/id,126117/article.html

[RedCardinal]

Webroot Spy Sweeper is generally one of the best anti spyware proggies. It does scan for rootkits also.

Some of the better AV apps (NOD32, Kaspersky) might also help. I think they might even offer 30 day trials (don't quote me).

The Systernals app (updated by Microsoft who bought Systernals) is definitely not for the novice. If you want another RK scanner try www.f-secure.com/blacklight/

[farangsay]

Here ya go

I downloaded and ran this (RootkitRevealer) and am

puzzled by the result.

I get a final page with two cryptic lines on it and

the subscript "Scan complete 2 discrepancies found".

Now maybe I'm moronic (it has been said before)

but it is not obvious what to do.

Stuff like Avast/Spybot/AdAware etc finishes with

a kill/fix it button.

This just leaves you puzzled????

It's not meant for the casual user. What discrepancies did you find?

If you have your data backed up it's sometimes easier to format and re-install.

Before you run Rootkit revealer it's important to shut down all programs first to avoid false positives.

Sorry for delay in replying but I wanted to run it again totally solo.

I even pulled the LAN plug and shut down the firewall.

This is what I got :

HKLM\SECURITY\Policy\Secrets\SAC*

HKLM\SECURITY\Policy\Secrets\SAI*

Tell me straight doc , is it bad ?

[cdnvic]

HKLM\SECURITY\Policy\Secrets\SAC*

HKLM\SECURITY\Policy\Secrets\SAI*

Tell me straight doc , is it bad ?

Nope, it's just scanning your security hive and will always give those two returns.

Rest easy

[farangsay]

HKLM\SECURITY\Policy\Secrets\SAC*

HKLM\SECURITY\Policy\Secrets\SAI*

Tell me straight doc , is it bad ?

Nope, it's just scanning your security hive and will always give those two returns.

Rest easy

Thanx Doc

[BkkAnimalover]

F-Secure Internet Security do it well is complete and user friendly , the trial ( 60 days ) is available on the website

[cdnvic]

F-Secure Internet Security do it well is complete and user friendly , the trial ( 60 days ) is available on the website

I've been through their site and see nothing about dealing with rootkits, which are a whole different animal than spyware and viruses. (Which F-secure does a decent job of dealing with)

[Oleg_Rus]

What root kit might do on some PC ?

on servers - ok - to get root access, but on some poor fella notebook who already logged without any admin pass?

[sabajja]

Well, a remote user can use the vulnerability caused by the rootkit to do all kinds of nasty things.

Take control of your machine, feed you spyware, keyloggers, scan for credit card details etc etc.

No Antivirus or conventional spyware removal tool would be helpful either.

As the rootkit effectively hides itself from the system.

It's "superhidden" to use a simple term.

A real pain in the butt.

Edited January 24, 2007 by sabajja

[cdnvic]

A good anaology is that while spyware and viruses are like a sickness, rootkits are like a mental illness. Your computer can be doing all kinds of bad things but it thinks everything is just fine. The part of the system that interprets what is happening is told to ignore anything the rootkits tells it to.

Sort of like the Jedi mind trick.

Antivirus: Look, some malware!

Rootkit: You don't see any malware, everything is just fine.

Antivirus: I don't see anything. Everything is just fine.

[scottie dog]

A good anaology is that while spyware and viruses are like a sickness, rootkits are like a mental illness. Your computer can be doing all kinds of bad things but it thinks everything is just fine. The part of the system that interprets what is happening is told to ignore anything the rootkits tells it to.

Sort of like the Jedi mind trick.

Antivirus: Look, some malware!

Rootkit: You don't see any malware, everything is just fine.

Antivirus: I don't see anything. Everything is just fine.

please excuse my ignorance but I have the following questions:-

1. What is a rootkit

2. How do you get it

3. Who/what is vulnerable to it

[cdnvic]

A rootkit is a hypervisor that gets inserted into the kernal (brain) of your operating system. It acts as explained in the post above to take control of your system at the base level and fool the system's defenses into thinking everything is alright. They also re-install malware that has been deleted by AV and antispyware.

They spread by infected email attachments, in program cracks, and are embedded into pirate operating systems.

It takes specialized programs to detect and remove them. Reformatting is usually the only 100% sure way to remove them.