![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
which tool to remove rootkits?
- Thread starter x509
- Start date
schmuckley
[H]ard|Gawd
- Joined
- Oct 21, 2011
- Messages
- 1,236
Parted Magic 
WITH* Enhanced secure erase.
No later than 8/13
or you could try AVG free..
eh..I keep images.
I just lost 1 TB with some decent images on it
1 hdd failed..i dropped the other.
WITH* Enhanced secure erase.
No later than 8/13
or you could try AVG free..
eh..I keep images.
I just lost 1 TB with some decent images on it
1 hdd failed..i dropped the other.
Blackjack
[H]ard|Gawd
- Joined
- Oct 29, 2007
- Messages
- 1,352
DBAN...its the only way to be sure.
Sp33dFr33k
2[H]4U
- Joined
- Apr 20, 2002
- Messages
- 2,481
If you really want to try Kaspersky Rescue Disc works well for me and Malwarebytes Anti-Rootkit. Personally I would just nuke the OS, since you never know if it's clean.
Malwarebytes Anti-Rootkit
Combofix can remove some rootkits too.
Kaspersky's TDSSKiller (only removes the TDSS rootkit variants)
Roguekiller (not entire for rootkits, but also good)
Combofix can remove some rootkits too.
Kaspersky's TDSSKiller (only removes the TDSS rootkit variants)
Roguekiller (not entire for rootkits, but also good)
This.
Just because you found something, doesn't mean thats the only malware on the system.
Nicklebon
Gawd
- Joined
- May 22, 2006
- Messages
- 982
I'll second the DBAN suggestion. Clean that puppy to the bone and start anew.
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,984
Good start
Cmustang87
Supreme [H]ardness
- Joined
- Oct 4, 2007
- Messages
- 4,498
I'm gonna have to agree with previous suggestions. I know it sucks OP, but your best option here is to cut your losses with these buggers and just backup and wipe the disk and start over.
This is at least the second thread this week about this, and I totally agree. If the system is infected you just wipe it.
An infected system can't be trusted, applications running on it can't be trusted (including security software). Cleaning from a rescue OS can not eradicate infections with any certainty.
Wipe and reinstall/reimage is the best and most certain remedy (and probably faster too).
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,984
If you are talking normal malware AND this is a home system I disagree. If we are talking about a rootkit, I agree you can not trust the system is secure anymore short of Dbaning (nuking) it.
OK, I'm the OP. I understand why you guys are saying nuke your system, but I'm also a work-for-myself consultant and it takes DAYS to rebuild my system (for which I can't charge a client, btw).
I asked this question because sometimes I get some "odd" behavior on some system in my home LAN, and I like to rule out an infection. Part of that process is running some rootkit detectors. (I haven't had a actual rootkit yet but ...)
But if guys here don't trust these tools, then they are useless. And then what do you do? DBAN and rebuild your system every day?
There has to be some middle ground where you (1) practice safe computing online, (2) have a reputable security suite on your system, (3) supplement the suite with your own handpicked tools.
Yes? No?
If it takes days to rebuild your system that is a risk you need to manage now (as in develop a plan). It should take no more than a few hours at most to restore a system from scratch, much less if your prepared for the eventuality. You should always have a plan for "oh shit" the system isn't working, is infected, the hardware blew up, Windows update crapped on my system, etc. Particularly if you depend on said system to run business.
It isn't as hard as you think it is to be prepared. Do a fresh install, OS patches, drivers, essential applications. Its a few hours worth of work. Now take a system image. Next time you do this you just restore the image, takes 10 minutes. Then you restore your data from the back up strategy you should already have in place (right?) and your good to go.
Absolutely do use preventive measures, do run antivirus, do run malware scans. Those things can prevent known attacks from taking hold, and they can also tip you off that something is wrong. A positive in memory, system file or bootloader detection always gets met with a nuke though.
It is standard practice in all the places I've worked that if a machine becomes compromised it gets nuked. You just don't mess around with it anymore, malware has become very sophisticated in the security software arms race.
Well, that is obviously a different scenario. The threat title reads like you know you got a rootkit. "Odd behavior" can be anything: misconfigured/buggy software, bad hardware, user error...
Why would it take days to rebuild the system?
You really ought to have a disk image ready, especially if it's your work machine. It typically isn't a question IF your system breaks, just WHEN.
As a consultant, you may have sensitive client information and/or data on your system. So if you suspect foul play, you should definitely nuke the system!
What the fuck am I reading? LOL.
You work for other people but because you can't charge _them_ to keep _your_ environment clean, you just keep using a buggy/compromised/WTFever system?
You can't be serious.
Yes I am serious, and I kind of resent your tone here. For starters i keep all my data on a separate D drive, so WHEN the OS goes down, I don't have to worry about losing my data.
For reliability I use SSDs for my OS/apps and DATA partitions.
"days" is what it takes to install a whole bunch of apps for business and personal use, and then configure them.
If someone can suggest a registry tool that would allow me to capture and save the config for any given app, that would be appreciated.
The reasn I was asking about rootkits is that the standard secuity suites don't seem to do a very good job in this area.
I use Retrospect for backup, which allows me to maintain version control. I do a fresh backup every year for my OS/Apps and DATA, and a monthly backup for "transactional" backup like Outlook or financial records.
That's because rootkits can be damn hard to identify.
So if you suspect you have one, you have to nuke the system to make sure. Having you data on another drive doesn't help you out here. If you had a rootkit, its purpose is probably not just to make your system behave funny, but possibly to scan your disks and transmit files that look promising. Which could be really bad for you, depending on what you're consulting on and for whom.
All nice, but you can't know when you got the rootkit and even if you did, if you just rolled back your system to a prior state, there's no way of knowing if that actually killed the rootkit (I suspect it would not).
When I said disk image, I meant what devman said: clean install of windows, get all the updates, install your favorite software, update that, configure it and THEN make a disk image of your system. So next time something goes wrong, you can nuke the system and install that image in under one hour.
I resent your work ethics. There, I said it.
If you value customer data less than the cash you can milk from these poor souls who think they hired a responsible pro, then I have no sympathy for you.
It's not about data loss and backup, it's about malware and making sure noone _else_ has your data. I feel stupid even having to explain this.
Like a cook who charges extra to wash your dishes before he serves you, but doesn't actually tell you and just keeps using dirty dishes.
OK, so what can we agree upon?
First, you guys have convinced me that I do need a disk image, per devman. So, can we get past this issue?
Now, do you guys think that the right rootkit detectors can at least detect a rootkit, even if they can't truly remove one? If yes, then I would know when to do a DBAN and recopy the image.
Also, i'm real careful with client data. However, on more than one occasion, a file provided by the client has had malware, typically MS Office files. And this is from established companies that have, or you would think have, good internal security protocols.
Sorry but no one in the industry cares that much. If they do they're not making money or staying in business. Or value their own time.
(or they do care, but they can't because it's cost prohibitive)
Did you read the post he was responding to? The OP was complaining that he couldn't charge a customer directly for the cost of fixing the OP's own computer. Thats a typical operational expense. If I break a tool out in the field, I don't charge the customer for a new one.
Continuing to use a potentially compromised computer to work on client's machines is an ethical violation.
Oh, yeah in that case that's OP's problem and definitely cannot charge the customer for his own stuff.
Bite the bullet and do it right OP. I think DBAN is a bit extreme but better be safe than sorry. I don't know how a client's computer managed to infect his, but he's going to need to make some workflow changes so that can't happen again.