dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
13

SweetNoob
@optonline.net

SweetNoob to SweetNoob

Anon

to SweetNoob

Re: Do not forget about rootkits.

upon further research it seemed to be part of the ijji game reactor program...i uninstalled it months ago and this little rootkit remained.

why do people even attempt a clean up after their system has been compromised? just format, reinstall, don't copy any files left over from the infected machine, change passwords and avoid what lead to the infection

also i heard gmer is the worst anti rootkit.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

3 recommendations

TheJoker

MVM

said by SweetNoob :

why do people even attempt a clean up after their system has been compromised? just format, reinstall...

Why don't people just fully backup so they don't have to format and reinstall? To some people, it's not convenient because it won't happen to them.

Elite
Kiss My Ass
join:2002-10-03
New Haven, CT
Synology RT2600ac
TP-Link TC-7650
ARRIS SB8200

Elite to SweetNoob

Member

to SweetNoob
said by SweetNoob :

upon further research it seemed to be part of the ijji game reactor program...i uninstalled it months ago and this little rootkit remained.

why do people even attempt a clean up after their system has been compromised? just format, reinstall, don't copy any files left over from the infected machine, change passwords and avoid what lead to the infection

also i heard gmer is the worst anti rootkit.

It's two different schools of thought. One could extend the reformat argument to things like simple spyware or well documented and easily removable trojans.

Oddly, for many years though, I was very against this idea. I preferred to manually yank rootkits out if there was no damage to core operating system files beyond reasonable repair. During the height of the Windows XP rootkit saga, Rootkit Unhooker was plenty capable of removing every in-the-wild rootkit with relative ease. Unfortunately, the author of RkU hasn't updated the public version in a very long time, but the rootkits have continued evolving.

Contrarily, on a Linux system, I have always felt that if the machine were rootkitted, the entire OS should be immediately re-installed. Today, I would probably follow this philosophy with Windows as well, because Windows Vista/7/8 re-install much quicker and easier than shitty Windows XP.

If you do take the re-install route, you can back things up, but only things that you're certain weren't part of the infection vector/potentially infected. I would have no qualms about backing up my music, pictures, documents, etc after a rootkit as long as I knew the infection wasn't a mass file infector.

Lastly... a few words about GMER. GMER was recently updated for x64 support, including Windows 8. It's one of very few standalone anti-rookit tools that still exist and receive updates, as well as have x64 and Windows 8 support.

Back in the day, however, there was quite a bit of GMER bashing. GMER had *good* detection, but it was bypassed from time to time, and then eventually updated. I would imagine it would detect and remove mostly everything in the wild today, but that's just my guess and I truthfully have no idea. For all I know, it could have insanely crappy detection (or none at all) for some of the more advanced rootkits. Kaspersky's AV engine has always had pretty excellent detection and removal capabilities, and MSE's scanning engine is regularly updated to support detection and removal of newer rootkits... though I've had mixed results with it over the past few years while using it in practice. TdssKiller (by Kaspersky) has found TDL4 MBR infections that MSE has missed on several occasions. Hitman Pro, for a while, had very excellent rootkit detection, and still probably does. Malwarebytes has probably improved their rootkit detection enormously. Avast uses GMER technology (whatever the hell that means). ESET's rootkit detection was a mixed bag for a while... not sure if it ever improved. Likely, it did.

Bottom line: If you are using Windows, use an x64 version, preferably Windows 8, to be the least likely to be infected with a rootkit. Unfortunately, I don't know if there's currently anything in the wild that infects x64 Windows 8. I do know there are working x64 Windows 7 rootkits... several of them, attacking mostly the MBR (and probably *all* detected by Tdsskiller). For best results, use *everything* and/or reformat

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to TheJoker

Premium Member

to TheJoker
said by TheJoker:

said by SweetNoob :

why do people even attempt a clean up after their system has been compromised? just format, reinstall...

Why don't people just fully backup so they don't have to format and reinstall? To some people, it's not convenient because it won't happen to them.


Unless the infection is discovered and remedied before the next backup then the backup and any restore from the backup is also now suspect.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to TheJoker

Premium Member

to TheJoker
I use my WD external for backups in the event of a nasty infection like this.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to NOYB

MVM

to NOYB
said by NOYB:

said by TheJoker:

Why don't people just fully backup so they don't have to format and reinstall? To some people, it's not convenient because it won't happen to them.


Unless the infection is discovered and remedied before the next backup then the backup and any restore from the backup is also now suspect.

Depends how far your backup archive goes, I have backups on CD/DVD/BD-R going back years to Windows XP.
psloss
Premium Member
join:2002-02-24

psloss to Elite

Premium Member

to Elite
said by Elite:

said by SweetNoob :

upon further research it seemed to be part of the ijji game reactor program...i uninstalled it months ago and this little rootkit remained.

why do people even attempt a clean up after their system has been compromised? just format, reinstall, don't copy any files left over from the infected machine, change passwords and avoid what lead to the infection

also i heard gmer is the worst anti rootkit.

It's two different schools of thought. One could extend the reformat argument to things like simple spyware or well documented and easily removable trojans.

Don't disagree with the point, but it's more than two schools -- one size still does not fit all. There's a variety of rootkits/rootkit behaviors and a variety of other environmental variables (like hardware, firmware, file system, operating system, physical environment). The approach one takes could factor into account several of those.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

DrStrange to Elite

Premium Member

to Elite
Whenever I've run GMER on a rooted machine, it's found the rootkit, with one exception.

There was one version of TDL that was initially invisible to GMER, but GMER was updated when this TDL rootkit was discovered. The updated GMER was able to find and remove the rootkit.

If you really want to clean a rooted machine instead of formatting, treat it like it's still rooted until you've played with it for a few days on its very own subnet while a packet sniffer is running on a known clean machine.

no rootkits
@comcast.net

no rootkits

Anon

@ DrStrange

My only problem with that is how would you ever really know if Gmer just can't detect a type of Rootkit and has therefore never been able to report it. Scanning from outside of Windoze is a safer bet imho. Or do both. I wouldn't rely on a program like Gmer alone.