Solved

Root Kit

Posted on 2006-11-17
23
512 Views
Last Modified: 2013-12-04
I think i have a Root Kit on my machine, a friend recommended "Root-Kit Unhooker", but i am afraid when i use it i may remove the wrong file and damage my machine, can someone help?
0
Comment
Question by:Vast41
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
  • 2
  • +1
23 Comments
 
LVL 97

Expert Comment

by:war1
ID: 17970663
Greetings, Vast41 !

Use Rookket Revealer or Blacklight

Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
or
F-Secure Blacklight
http://www.f-secure.com/blacklight/


Best wishes!
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 17970664
Never used it - I'd suggest RootKitRevealer or Sophos Root Kit utility.  But no product SHOULD remove anything without asking you if you want to remove it.
0
 

Author Comment

by:Vast41
ID: 17970667
I am told Root-Kit Unhooker is the best out there, are the ones you recommended here just as good, i just want all traces of a Root Kit removed. Am i in the right topic area please?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:Vast41
ID: 17970668
If i use RootKitRevealer how will i know what to remove? Is it possible to get some help if i have a problem?
0
 
LVL 97

Expert Comment

by:war1
ID: 17970674
Vast41,

You are in the right topic area.  I am unfamiliar with Rootkit Unhooker. I know that Rootkit Revealer or Blacklight will identity rootkit for you to remove.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 17970677
I've also not heard of RootKit Unhooker - who is this mystical person telling you what to do - you don't trust them or you wouldn't be checking here...
0
 

Author Comment

by:Vast41
ID: 17970681
Well war1 in the help section of RootKit Revealer it does not seem that easy, it states the following:"You should examine all discrepancies and determine the likelihood that they indicate the presence of a rootkit. Unfortunately, there is no definitive way to determine, based on the output, if a rootkit is present, but you should examine all reported discrepancies to ensure that they are explainable. If you determine that you have a rootkit installed, search the web for removal instructions. If you are unsure as to how to remove a rootkit you should reformat the system's hard disk and reinstall Windows."

Now Leew...this is someone who helped me with a PC problem in past and seems to know a little about computers. However i am a premium member here and i like to see what the experts say here...
0
 

Author Comment

by:Vast41
ID: 17970929
Ok, i guess i have to increase point value cause nobody is replying, so, can somebody tell me what to do with files that i found hooked with RootKit Unhooker? It found a lot more than RootKit Revealer did!
0
 
LVL 97

Expert Comment

by:war1
ID: 17971715
Vast41,

Just because Rootkit Unhooker found more items, it does not mean those items are rootkit. If you delete the wrong one, you will disable your Windows system.

Show us your Rootkit Revealer log, and I can look through your files hidden from Windows API.  What Rootkit Revealer is saying is that it is not easy to find and delete a rootkit.
0
 

Author Comment

by:Vast41
ID: 17972905
Ok War1 Rootkit Revealer found three entries, but this other site i use recommended  Blacklight as you did and i ran it and it found nothing, i since uninstalled Rootkit Revealer SO, my question is is my machine ok, or safe?
0
 
LVL 97

Expert Comment

by:war1
ID: 17973378
Why did you think you have a rootkit?  If the symtoms of the problem is gone, yes, you have gotten the rootkit.
0
 

Author Comment

by:Vast41
ID: 17973804
I was not sure if i had a rookkit, i allowed my Firewall to have a file i did not reconize installed i got scared. Wanted to cover all bases, thanks for volunteering to read the results of Rootkit Revealer, you deserve these points.
0
 
LVL 1

Expert Comment

by:pccpr
ID: 17983085
I predict that ...clean data, back it up, wipe and reload will ultimately be the accepted answer.  

Just my opinion...but so far it has (with 20 20 hindsight) almost always been easier to use something like files and settings transfer wizard to get data safely to one side, (and even a disk imaging program like norton ghost to put the whole thing on DVD) then wipe and reload windows.  This has a few benefits and drawbacks...such as


pros...
Known clean start, no second guessing anomolies later on

Cleans up "registry residue" from apps and devices and other junk (that you might otherwise be uncomfortable deleting) restoring fastest possible performance

Once you get a basic updated installation, make an image so you'll never hesitate to wipe in case of future infection or hardware failure.

In fact it almost always takes less time to reload than completely disinfect.  Disinfecting for me means
-uninstall unneeded apps (and use sysinternals autoruns, and hijack this)
-run ccleaner
-use diskview or treesize to hunt down space wasters
-ghost remaining for saftey
- run manufactures test program...and also look at SMART status indicators
-remove disk to known clean machine,scan with at least a half dozen antivirus and antispyware tools
-burn cleaned data to dvd
-reinstall and attempt booting in original machine
-reinstall and correct damaged / corrupted files
-reinstall protection software
-redo all updates
-retest function of all used features
-burn working image

And that doesn't address rootkits...which means more tools, more tests and not nearly as easy or quick as the spyware and malware tools to use or interpret.
--

Cons
You will be without the use of the computer for at least a few hours...possibly have issues with data transfer if you don't use mainstream software

PS  Locate and donload ALL drivers and at least windows SP2 to optical disk before you start.
0
 

Author Comment

by:Vast41
ID: 17983291
Pccpr that's quite much, i cannot reinstall don't have XP disk right now, plus won't be able to replace some of the programs i like War1 answer better even though, your answer totally is reassuring!
0
 
LVL 97

Expert Comment

by:war1
ID: 18568680
Vasti41,

You thought you had a rootkit.  We did a scan of your computer and showed you that you did not ahve a rootkit.  Is there more question?
0
 

Author Comment

by:Vast41
ID: 18568984
You did a scan of my computer? Please explain?
0
 
LVL 97

Expert Comment

by:war1
ID: 18572098
Vast41,

Rootkit Revealer and Blacklight found nothing according to your post Date:11/18/2006 - 03:32PM PST

You do not have a rootkit. Rootkit Unhooker gave you a false positive.
0
 

Author Comment

by:Vast41
ID: 18640862
war1 i am fine thanks for your imput i am trying to close this question now i found the soulution through forums other then this one thanks.
0
 
LVL 97

Expert Comment

by:war1
ID: 18642211
Vast41, I am curious. What is the solution that you found?
0
 

Author Comment

by:Vast41
ID: 18646491
A friend of my wifes who is an IT Tech came over and physically examined our machine and i am comfortable with his findings in that i do not have a rootkit. As far as the sematics of his examination i cannot tell you cause i was not watching.
0
 
LVL 97

Accepted Solution

by:
war1 earned 250 total points
ID: 18647333
Vast41,

You originally wrote, "...i found the solution through forums other then this one thanks."  Date:03.02.2007 at 06:29AM PST

Now you write, "...an IT Tech came over and physically examined our machine and i am comfortable with his findings in that i do not have a rootkit." Date:03.03.2007 at 12:55AM PST

The latter is what I did with Rootkit Revealer and Blacklight and declared your computer clean. Date:03.03.2007 at 12:55AM PST
0
 

Author Comment

by:Vast41
ID: 18649669
I did scan my machine with Rootkit Revealer and Blacklight, i also had a IT tech look over my machine. When i stated "i found the soulution through forums other then this one" i misspoke, i meant that i found a solution that I personally was very comfortable with (being the IT Tech). However war1 i feel you should take the points but unfortunately i cannot accept your answer the forum denies me that opportunity, probably cause i am not a member at this time. I am truly sorry for this misunderstanding, and if you see me post a question in this forum again (and i will) i hope you give your expert asvice so i can award you points.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question