dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1426
share rss forum feed


SweetNoob

@optonline.net

Do not forget about rootkits.

Click for full size
i remember a program called rootrepeal from a while back on sysinternal forums.

i decided to use it for a test and what do you know...


Elite

join:2002-10-03
Orange, CT
RootRepeal was chock full of bugs and the author never continued the development. Maybe you should try the latest version of GMER. I'm guessing you're on Windows XP.
--
QUAD!!!!

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to SweetNoob
cool.. i haven't done a scan with "rootrepeal" in a while though it used to be part of my regular scanning..

i would also do scans with "GMER", "aswMBR" and "TDSSKiller", to see if they flag anything, and ask for some help with removing any malware-infections that you might have on your computer.. there are various forums where you can ask for help with removing malware from your computer..


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
said by redwolfe_98:

cool.. i haven't done a scan with "rootrepeal" in a while though it used to be part of my regular .. there are various forums where you can ask for help with removing malware from your computer..

like right here - »Security Cleanup


SweetNoob

@optonline.net
reply to SweetNoob
upon further research it seemed to be part of the ijji game reactor program...i uninstalled it months ago and this little rootkit remained.

why do people even attempt a clean up after their system has been compromised? just format, reinstall, don't copy any files left over from the infected machine, change passwords and avoid what lead to the infection

also i heard gmer is the worst anti rootkit.


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:6

3 recommendations

said by SweetNoob :

why do people even attempt a clean up after their system has been compromised? just format, reinstall...

Why don't people just fully backup so they don't have to format and reinstall? To some people, it's not convenient because it won't happen to them.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


Elite

join:2002-10-03
Orange, CT
Reviews:
·Optimum Online
reply to SweetNoob
said by SweetNoob :

upon further research it seemed to be part of the ijji game reactor program...i uninstalled it months ago and this little rootkit remained.

why do people even attempt a clean up after their system has been compromised? just format, reinstall, don't copy any files left over from the infected machine, change passwords and avoid what lead to the infection

also i heard gmer is the worst anti rootkit.

It's two different schools of thought. One could extend the reformat argument to things like simple spyware or well documented and easily removable trojans.

Oddly, for many years though, I was very against this idea. I preferred to manually yank rootkits out if there was no damage to core operating system files beyond reasonable repair. During the height of the Windows XP rootkit saga, Rootkit Unhooker was plenty capable of removing every in-the-wild rootkit with relative ease. Unfortunately, the author of RkU hasn't updated the public version in a very long time, but the rootkits have continued evolving.

Contrarily, on a Linux system, I have always felt that if the machine were rootkitted, the entire OS should be immediately re-installed. Today, I would probably follow this philosophy with Windows as well, because Windows Vista/7/8 re-install much quicker and easier than shitty Windows XP.

If you do take the re-install route, you can back things up, but only things that you're certain weren't part of the infection vector/potentially infected. I would have no qualms about backing up my music, pictures, documents, etc after a rootkit as long as I knew the infection wasn't a mass file infector.

Lastly... a few words about GMER. GMER was recently updated for x64 support, including Windows 8. It's one of very few standalone anti-rookit tools that still exist and receive updates, as well as have x64 and Windows 8 support.

Back in the day, however, there was quite a bit of GMER bashing. GMER had *good* detection, but it was bypassed from time to time, and then eventually updated. I would imagine it would detect and remove mostly everything in the wild today, but that's just my guess and I truthfully have no idea. For all I know, it could have insanely crappy detection (or none at all) for some of the more advanced rootkits. Kaspersky's AV engine has always had pretty excellent detection and removal capabilities, and MSE's scanning engine is regularly updated to support detection and removal of newer rootkits... though I've had mixed results with it over the past few years while using it in practice. TdssKiller (by Kaspersky) has found TDL4 MBR infections that MSE has missed on several occasions. Hitman Pro, for a while, had very excellent rootkit detection, and still probably does. Malwarebytes has probably improved their rootkit detection enormously. Avast uses GMER technology (whatever the hell that means). ESET's rootkit detection was a mixed bag for a while... not sure if it ever improved. Likely, it did.

Bottom line: If you are using Windows, use an x64 version, preferably Windows 8, to be the least likely to be infected with a rootkit. Unfortunately, I don't know if there's currently anything in the wild that infects x64 Windows 8. I do know there are working x64 Windows 7 rootkits... several of them, attacking mostly the MBR (and probably *all* detected by Tdsskiller). For best results, use *everything* and/or reformat
--
QUAD!!!!


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
reply to SweetNoob
I have been using Zemena for a while and really like it. For the most part, it remains silent, but it is definitely doing its job and rooting out baddies should it find one.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to TheJoker
said by TheJoker:

said by SweetNoob :

why do people even attempt a clean up after their system has been compromised? just format, reinstall...

Why don't people just fully backup so they don't have to format and reinstall? To some people, it's not convenient because it won't happen to them.


Unless the infection is discovered and remedied before the next backup then the backup and any restore from the backup is also now suspect.

--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to SweetNoob

UEFI Secure Boot Windows 8


no rootkits

@comcast.net
reply to SweetNoob
If you really want to know use one of those bootable CD/DVDs to scan for rootkits from outside of Windoze.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:18
reply to chachazz


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:18
reply to TheJoker
I use my WD external for backups in the event of a nasty infection like this.


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:6
reply to NOYB
said by NOYB:


said by TheJoker:

Why don't people just fully backup so they don't have to format and reinstall? To some people, it's not convenient because it won't happen to them.


Unless the infection is discovered and remedied before the next backup then the backup and any restore from the backup is also now suspect.

Depends how far your backup archive goes, I have backups on CD/DVD/BD-R going back years to Windows XP.

psloss
Premium
join:2002-02-24
reply to Elite
said by Elite:

said by SweetNoob :

upon further research it seemed to be part of the ijji game reactor program...i uninstalled it months ago and this little rootkit remained.

why do people even attempt a clean up after their system has been compromised? just format, reinstall, don't copy any files left over from the infected machine, change passwords and avoid what lead to the infection

also i heard gmer is the worst anti rootkit.

It's two different schools of thought. One could extend the reformat argument to things like simple spyware or well documented and easily removable trojans.

Don't disagree with the point, but it's more than two schools -- one size still does not fit all. There's a variety of rootkits/rootkit behaviors and a variety of other environmental variables (like hardware, firmware, file system, operating system, physical environment). The approach one takes could factor into account several of those.


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
reply to Elite
Whenever I've run GMER on a rooted machine, it's found the rootkit, with one exception.

There was one version of TDL that was initially invisible to GMER, but GMER was updated when this TDL rootkit was discovered. The updated GMER was able to find and remove the rootkit.

If you really want to clean a rooted machine instead of formatting, treat it like it's still rooted until you've played with it for a few days on its very own subnet while a packet sniffer is running on a known clean machine.


no rootkits

@comcast.net
@ DrStrange

My only problem with that is how would you ever really know if Gmer just can't detect a type of Rootkit and has therefore never been able to report it. Scanning from outside of Windoze is a safer bet imho. Or do both. I wouldn't rely on a program like Gmer alone.