How do I get rid of a rootkit

Apparently, I have a rootkit installed, part of System Mechanic Software.
Even though I have uninstalled SM, I am told that the rootkit is still
there. How do I identify it and how do I get rid of it?

Contact Iolo, the manufacturers of System Mechanic.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!



"T5" <noanswer@hotmail.com> wrote in message
news:E48EFF70-9BE6-44AB-8420-2CFD3C1CA8FA@microsoft.com...
> Apparently, I have a rootkit installed, part of System Mechanic Software.
> Even though I have uninstalled SM, I am told that the rootkit is still
> there. How do I identify it and how do I get rid of it?

On Sat, 24 Feb 2007 10:35:37 +0000, T5 wrote:

> Apparently, I have a rootkit installed, part of System Mechanic Software.
> Even though I have uninstalled SM, I am told that the rootkit is still
> there. How do I identify it and how do I get rid of it?

Sysinternals offer Rootkit Revealer:

http://www.microsoft.com/technet/sys...tRevealer.mspx

Go to tenebril.com and get the rootkit remover. They hold the patent on the
remover.


"T5" wrote:

> Apparently, I have a rootkit installed, part of System Mechanic Software.
> Even though I have uninstalled SM, I am told that the rootkit is still
> there. How do I identify it and how do I get rid of it?
>

"T5" <noanswer@hotmail.com> wrote
> Apparently, I have a rootkit installed, part of System Mechanic Software.
> Even though I have uninstalled SM, I am told that the rootkit is still
> there. How do I identify it and how do I get rid of it?

Ask the software author or ask in a virus/malware removal newsgroup.

--
Rock [MS-MVP User/Shell]

On Sat, 24 Feb 2007 10:35:37 -0000, "T5" <noanswer@hotmail.com> wrote:

>Apparently, I have a rootkit installed, part of System Mechanic Software.
>Even though I have uninstalled SM, I am told that the rootkit is still
>there. How do I identify it and how do I get rid of it?

Firstly: On what basis do you conclude that:
- you have a rootkit?
- it is related to System Mechanic Software?

Is this your issue:

http://www.wrensoft.com/forum/showthread.php?t=1451

?

If the malware is commercial malware (e.g. DRM) built into a
"legitimate" product, then few if any scanners will detect it. The
law is on the side of thge malware authors here; by consenting to
their EUL"A", they can weasel in whatever junk they want to, and some
laws may make it illegal to share know-how on cleaning it up.

If the malware is traditional or commercial malware that is outside
the package, but stealthed in via a poor distribution "cold chain" or
the use of piracy-enabling "cracks", then scanners may detect it, if
it is common ITW (In The Wild).

Finally, if the malware is external to the app, but is not common ITW,
then the app vendor's sites or forums can't help you, and general
malware scanners may miss it as well. This is always a risk when
downloading cracks, cracked commercial apps, etc.


Rootkits alter runtime behavior of the infected OS to hide themselves
and/or other files and defend these against removal.

So the first step is to scan from an OS that runs no code from the
infected code base - what I refer to as "formal" scanning.

In DOS and Win9x, you can use DOS mode boot diskette as the
maintenance OS (mOS) and from there, use scanners written for DOS,
such as available from F-Prot, Sophos, NOD32 etc.

You can do the same in XP if you aren't using NTFS, but a far better
approach is to use Bart PE builder to build a Bart CDR as mOS, and
then use plugged-in or "loose" scanners from there. You can use CLI
scanners from McAfee, F-Prot, Sophos, Kaspersky, AVG etc. in this
way, as well as some Windows GUI scanners such as Stinger, Trend
SysClean etc. You can also use registry-orientated tools via the
RunScanner plugin, that allows such tools to operate as if the
inactive HD installation registry were in effect.

Vista has no equivalent to run Scanner, though you can use Bart for
Vista, or use a Vista-native WinPE or installation DVD boot as your
mOS. Vista64 is particularly difficult as the mOS boot mode will not
run 32-bit apps, and 64-bit av tools are not plentiful in early 2007.


The other way to look for rootkits, is to detect their behavior while
they are active. This seems a more dangerous approach, given an
active rootkit is well-positioned to defend itself or take punitive
action against attempts to remove it, but you may at least be able to
detect rootkit behavior and maybe point to a file or two, even if it
isn't prudent to attempt removal from the infected OS.

Several rootkit behavior detectors are available:
- Rootkit Revealer from System Internals
- Blacklight Beta from F-Prot / F-Secure
- other "beta" rootkit tools from AVG, Trend, Sophos, etc.

These tools have to be run from the infected OS in as "dirty" a state
as possible, so they aren't useful from Bart CDR boot, etc. However,
once you detect the relevant files, you could manage these with less
(or at least, different) fear of retaliation from Bart boot etc..



>-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -

I used the Rootkit Revealer from Sysinternal.
It detected a lot of problems, mostly in my Internet temp folder.
It also detected one EXE file: KDIKW.EXE.

Now how do I fix all the problems???

Thanks
Ron

"Robin T Cox" wrote:

> On Sat, 24 Feb 2007 10:35:37 +0000, T5 wrote:
>
> > Apparently, I have a rootkit installed, part of System Mechanic Software.
> > Even though I have uninstalled SM, I am told that the rootkit is still
> > there. How do I identify it and how do I get rid of it?
>
> Sysinternals offer Rootkit Revealer:
>
> http://www.microsoft.com/technet/sys...tRevealer.mspx
>
>

Hi,
there are no Rootkits available for Vista.....YET...

I used a few of the progrmas from
http://www.antirootkit.com/software/index.htm

Rootkit unhooker and Icesword are very good but Icesword is hard to
use.

hope this help

enigma


--
enigma
Posted via http://www.vistaheads.com

as a paralegal, i will tell you, based on the jurisprudence of contract law,
and jurisprudence generally ("the clean hands doctrine"), that you are dead
wrong! -- the law is NOT on the malware author's side!

on the contrary: their mechanism is ...F R A U D ... and i doubt the courts
will defend fraud.

you show me just one case that supports your contention.

"cquirke (MVP Windows shell/user)" wrote:

> On Sat, 24 Feb 2007 10:35:37 -0000, "T5" <noanswer@hotmail.com> wrote:
>
> >Apparently, I have a rootkit installed, part of System Mechanic Software.
> >Even though I have uninstalled SM, I am told that the rootkit is still
> >there. How do I identify it and how do I get rid of it?
>
> Firstly: On what basis do you conclude that:
> - you have a rootkit?
> - it is related to System Mechanic Software?
>
> Is this your issue:
>
> http://www.wrensoft.com/forum/showthread.php?t=1451
>
> ?
>
> If the malware is commercial malware (e.g. DRM) built into a
> "legitimate" product, then few if any scanners will detect it. The
> law is on the side of thge malware authors here; by consenting to
> their EUL"A", they can weasel in whatever junk they want to, and some
> laws may make it illegal to share know-how on cleaning it up.
>
> If the malware is traditional or commercial malware that is outside
> the package, but stealthed in via a poor distribution "cold chain" or
> the use of piracy-enabling "cracks", then scanners may detect it, if
> it is common ITW (In The Wild).
>
> Finally, if the malware is external to the app, but is not common ITW,
> then the app vendor's sites or forums can't help you, and general
> malware scanners may miss it as well. This is always a risk when
> downloading cracks, cracked commercial apps, etc.
>
>
> Rootkits alter runtime behavior of the infected OS to hide themselves
> and/or other files and defend these against removal.
>
> So the first step is to scan from an OS that runs no code from the
> infected code base - what I refer to as "formal" scanning.
>
> In DOS and Win9x, you can use DOS mode boot diskette as the
> maintenance OS (mOS) and from there, use scanners written for DOS,
> such as available from F-Prot, Sophos, NOD32 etc.
>
> You can do the same in XP if you aren't using NTFS, but a far better
> approach is to use Bart PE builder to build a Bart CDR as mOS, and
> then use plugged-in or "loose" scanners from there. You can use CLI
> scanners from McAfee, F-Prot, Sophos, Kaspersky, AVG etc. in this
> way, as well as some Windows GUI scanners such as Stinger, Trend
> SysClean etc. You can also use registry-orientated tools via the
> RunScanner plugin, that allows such tools to operate as if the
> inactive HD installation registry were in effect.
>
> Vista has no equivalent to run Scanner, though you can use Bart for
> Vista, or use a Vista-native WinPE or installation DVD boot as your
> mOS. Vista64 is particularly difficult as the mOS boot mode will not
> run 32-bit apps, and 64-bit av tools are not plentiful in early 2007.
>
>
> The other way to look for rootkits, is to detect their behavior while
> they are active. This seems a more dangerous approach, given an
> active rootkit is well-positioned to defend itself or take punitive
> action against attempts to remove it, but you may at least be able to
> detect rootkit behavior and maybe point to a file or two, even if it
> isn't prudent to attempt removal from the infected OS.
>
> Several rootkit behavior detectors are available:
> - Rootkit Revealer from System Internals
> - Blacklight Beta from F-Prot / F-Secure
> - other "beta" rootkit tools from AVG, Trend, Sophos, etc.
>
> These tools have to be run from the infected OS in as "dirty" a state
> as possible, so they aren't useful from Bart CDR boot, etc. However,
> once you detect the relevant files, you could manage these with less
> (or at least, different) fear of retaliation from Bart boot etc..
>
>
>
> >-------------------- ----- ---- --- -- - - - -
> Running Windows-based av to kill active malware is like striking
> a match to see if what you are standing in is water or petrol.
> >-------------------- ----- ---- --- -- - - - -
>