Solved

Root Kit

Posted on 2006-11-17
23
509 Views
Last Modified: 2013-12-04
I think i have a Root Kit on my machine, a friend recommended "Root-Kit Unhooker", but i am afraid when i use it i may remove the wrong file and damage my machine, can someone help?
0
Comment
Question by:Vast41
  • 11
  • 8
  • 2
  • +1
23 Comments
 
LVL 97

Expert Comment

by:war1
ID: 17970663
Greetings, Vast41 !

Use Rookket Revealer or Blacklight

Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
or
F-Secure Blacklight
http://www.f-secure.com/blacklight/


Best wishes!
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 17970664
Never used it - I'd suggest RootKitRevealer or Sophos Root Kit utility.  But no product SHOULD remove anything without asking you if you want to remove it.
0
 

Author Comment

by:Vast41
ID: 17970667
I am told Root-Kit Unhooker is the best out there, are the ones you recommended here just as good, i just want all traces of a Root Kit removed. Am i in the right topic area please?
0
 

Author Comment

by:Vast41
ID: 17970668
If i use RootKitRevealer how will i know what to remove? Is it possible to get some help if i have a problem?
0
 
LVL 97

Expert Comment

by:war1
ID: 17970674
Vast41,

You are in the right topic area.  I am unfamiliar with Rootkit Unhooker. I know that Rootkit Revealer or Blacklight will identity rootkit for you to remove.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 17970677
I've also not heard of RootKit Unhooker - who is this mystical person telling you what to do - you don't trust them or you wouldn't be checking here...
0
 

Author Comment

by:Vast41
ID: 17970681
Well war1 in the help section of RootKit Revealer it does not seem that easy, it states the following:"You should examine all discrepancies and determine the likelihood that they indicate the presence of a rootkit. Unfortunately, there is no definitive way to determine, based on the output, if a rootkit is present, but you should examine all reported discrepancies to ensure that they are explainable. If you determine that you have a rootkit installed, search the web for removal instructions. If you are unsure as to how to remove a rootkit you should reformat the system's hard disk and reinstall Windows."

Now Leew...this is someone who helped me with a PC problem in past and seems to know a little about computers. However i am a premium member here and i like to see what the experts say here...
0
 

Author Comment

by:Vast41
ID: 17970929
Ok, i guess i have to increase point value cause nobody is replying, so, can somebody tell me what to do with files that i found hooked with RootKit Unhooker? It found a lot more than RootKit Revealer did!
0
 
LVL 97

Expert Comment

by:war1
ID: 17971715
Vast41,

Just because Rootkit Unhooker found more items, it does not mean those items are rootkit. If you delete the wrong one, you will disable your Windows system.

Show us your Rootkit Revealer log, and I can look through your files hidden from Windows API.  What Rootkit Revealer is saying is that it is not easy to find and delete a rootkit.
0
 

Author Comment

by:Vast41
ID: 17972905
Ok War1 Rootkit Revealer found three entries, but this other site i use recommended  Blacklight as you did and i ran it and it found nothing, i since uninstalled Rootkit Revealer SO, my question is is my machine ok, or safe?
0
 
LVL 97

Expert Comment

by:war1
ID: 17973378
Why did you think you have a rootkit?  If the symtoms of the problem is gone, yes, you have gotten the rootkit.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:Vast41
ID: 17973804
I was not sure if i had a rookkit, i allowed my Firewall to have a file i did not reconize installed i got scared. Wanted to cover all bases, thanks for volunteering to read the results of Rootkit Revealer, you deserve these points.
0
 
LVL 1

Expert Comment

by:pccpr
ID: 17983085
I predict that ...clean data, back it up, wipe and reload will ultimately be the accepted answer.  

Just my opinion...but so far it has (with 20 20 hindsight) almost always been easier to use something like files and settings transfer wizard to get data safely to one side, (and even a disk imaging program like norton ghost to put the whole thing on DVD) then wipe and reload windows.  This has a few benefits and drawbacks...such as


pros...
Known clean start, no second guessing anomolies later on

Cleans up "registry residue" from apps and devices and other junk (that you might otherwise be uncomfortable deleting) restoring fastest possible performance

Once you get a basic updated installation, make an image so you'll never hesitate to wipe in case of future infection or hardware failure.

In fact it almost always takes less time to reload than completely disinfect.  Disinfecting for me means
-uninstall unneeded apps (and use sysinternals autoruns, and hijack this)
-run ccleaner
-use diskview or treesize to hunt down space wasters
-ghost remaining for saftey
- run manufactures test program...and also look at SMART status indicators
-remove disk to known clean machine,scan with at least a half dozen antivirus and antispyware tools
-burn cleaned data to dvd
-reinstall and attempt booting in original machine
-reinstall and correct damaged / corrupted files
-reinstall protection software
-redo all updates
-retest function of all used features
-burn working image

And that doesn't address rootkits...which means more tools, more tests and not nearly as easy or quick as the spyware and malware tools to use or interpret.
--

Cons
You will be without the use of the computer for at least a few hours...possibly have issues with data transfer if you don't use mainstream software

PS  Locate and donload ALL drivers and at least windows SP2 to optical disk before you start.
0
 

Author Comment

by:Vast41
ID: 17983291
Pccpr that's quite much, i cannot reinstall don't have XP disk right now, plus won't be able to replace some of the programs i like War1 answer better even though, your answer totally is reassuring!
0
 
LVL 97

Expert Comment

by:war1
ID: 18568680
Vasti41,

You thought you had a rootkit.  We did a scan of your computer and showed you that you did not ahve a rootkit.  Is there more question?
0
 

Author Comment

by:Vast41
ID: 18568984
You did a scan of my computer? Please explain?
0
 
LVL 97

Expert Comment

by:war1
ID: 18572098
Vast41,

Rootkit Revealer and Blacklight found nothing according to your post Date:11/18/2006 - 03:32PM PST

You do not have a rootkit. Rootkit Unhooker gave you a false positive.
0
 

Author Comment

by:Vast41
ID: 18640862
war1 i am fine thanks for your imput i am trying to close this question now i found the soulution through forums other then this one thanks.
0
 
LVL 97

Expert Comment

by:war1
ID: 18642211
Vast41, I am curious. What is the solution that you found?
0
 

Author Comment

by:Vast41
ID: 18646491
A friend of my wifes who is an IT Tech came over and physically examined our machine and i am comfortable with his findings in that i do not have a rootkit. As far as the sematics of his examination i cannot tell you cause i was not watching.
0
 
LVL 97

Accepted Solution

by:
war1 earned 250 total points
ID: 18647333
Vast41,

You originally wrote, "...i found the solution through forums other then this one thanks."  Date:03.02.2007 at 06:29AM PST

Now you write, "...an IT Tech came over and physically examined our machine and i am comfortable with his findings in that i do not have a rootkit." Date:03.03.2007 at 12:55AM PST

The latter is what I did with Rootkit Revealer and Blacklight and declared your computer clean. Date:03.03.2007 at 12:55AM PST
0
 

Author Comment

by:Vast41
ID: 18649669
I did scan my machine with Rootkit Revealer and Blacklight, i also had a IT tech look over my machine. When i stated "i found the soulution through forums other then this one" i misspoke, i meant that i found a solution that I personally was very comfortable with (being the IT Tech). However war1 i feel you should take the points but unfortunately i cannot accept your answer the forum denies me that opportunity, probably cause i am not a member at this time. I am truly sorry for this misunderstanding, and if you see me post a question in this forum again (and i will) i hope you give your expert asvice so i can award you points.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now