Windows Vista Forums

How do I get rid of a rootkit

  1. #1


    T5 Guest

    How do I get rid of a rootkit

    Apparently, I have a rootkit installed, part of System Mechanic Software.
    Even though I have uninstalled SM, I am told that the rootkit is still
    there. How do I identify it and how do I get rid of it?


      My System SpecsSystem Spec

  2.   


  3. #2


    Richard Urban Guest

    Re: How do I get rid of a rootkit

    Contact Iolo, the manufacturers of System Mechanic.

    --


    Regards,

    Richard Urban
    Microsoft MVP Windows Shell/User
    (For email, remove the obvious from my address)

    Quote from George Ankner:
    If you knew as much as you think you know,
    You would realize that you don't know what you thought you knew!



    "T5" <noanswer@hotmail.com> wrote in message
    news:E48EFF70-9BE6-44AB-8420-2CFD3C1CA8FA@microsoft.com...
    > Apparently, I have a rootkit installed, part of System Mechanic Software.
    > Even though I have uninstalled SM, I am told that the rootkit is still
    > there. How do I identify it and how do I get rid of it?



      My System SpecsSystem Spec

  4. #3


    Robin T Cox Guest

    Re: How do I get rid of a rootkit

    On Sat, 24 Feb 2007 10:35:37 +0000, T5 wrote:

    > Apparently, I have a rootkit installed, part of System Mechanic Software.
    > Even though I have uninstalled SM, I am told that the rootkit is still
    > there. How do I identify it and how do I get rid of it?


    Sysinternals offer Rootkit Revealer:

    http://www.microsoft.com/technet/sys...tRevealer.mspx


      My System SpecsSystem Spec

  5. #4


    Shell Guest

    RE: How do I get rid of a rootkit

    Go to tenebril.com and get the rootkit remover. They hold the patent on the
    remover.


    "T5" wrote:

    > Apparently, I have a rootkit installed, part of System Mechanic Software.
    > Even though I have uninstalled SM, I am told that the rootkit is still
    > there. How do I identify it and how do I get rid of it?
    >


      My System SpecsSystem Spec

  6. #5


    Rock Guest

    Re: How do I get rid of a rootkit

    "T5" <noanswer@hotmail.com> wrote
    > Apparently, I have a rootkit installed, part of System Mechanic Software.
    > Even though I have uninstalled SM, I am told that the rootkit is still
    > there. How do I identify it and how do I get rid of it?


    Ask the software author or ask in a virus/malware removal newsgroup.

    --
    Rock [MS-MVP User/Shell]


      My System SpecsSystem Spec

  7. #6


    cquirke (MVP Windows shell/user) Guest

    Re: How do I get rid of a rootkit

    On Sat, 24 Feb 2007 10:35:37 -0000, "T5" <noanswer@hotmail.com> wrote:

    >Apparently, I have a rootkit installed, part of System Mechanic Software.
    >Even though I have uninstalled SM, I am told that the rootkit is still
    >there. How do I identify it and how do I get rid of it?


    Firstly: On what basis do you conclude that:
    - you have a rootkit?
    - it is related to System Mechanic Software?

    Is this your issue:

    http://www.wrensoft.com/forum/showthread.php?t=1451

    ?

    If the malware is commercial malware (e.g. DRM) built into a
    "legitimate" product, then few if any scanners will detect it. The
    law is on the side of thge malware authors here; by consenting to
    their EUL"A", they can weasel in whatever junk they want to, and some
    laws may make it illegal to share know-how on cleaning it up.

    If the malware is traditional or commercial malware that is outside
    the package, but stealthed in via a poor distribution "cold chain" or
    the use of piracy-enabling "cracks", then scanners may detect it, if
    it is common ITW (In The Wild).

    Finally, if the malware is external to the app, but is not common ITW,
    then the app vendor's sites or forums can't help you, and general
    malware scanners may miss it as well. This is always a risk when
    downloading cracks, cracked commercial apps, etc.


    Rootkits alter runtime behavior of the infected OS to hide themselves
    and/or other files and defend these against removal.

    So the first step is to scan from an OS that runs no code from the
    infected code base - what I refer to as "formal" scanning.

    In DOS and Win9x, you can use DOS mode boot diskette as the
    maintenance OS (mOS) and from there, use scanners written for DOS,
    such as available from F-Prot, Sophos, NOD32 etc.

    You can do the same in XP if you aren't using NTFS, but a far better
    approach is to use Bart PE builder to build a Bart CDR as mOS, and
    then use plugged-in or "loose" scanners from there. You can use CLI
    scanners from McAfee, F-Prot, Sophos, Kaspersky, AVG etc. in this
    way, as well as some Windows GUI scanners such as Stinger, Trend
    SysClean etc. You can also use registry-orientated tools via the
    RunScanner plugin, that allows such tools to operate as if the
    inactive HD installation registry were in effect.

    Vista has no equivalent to run Scanner, though you can use Bart for
    Vista, or use a Vista-native WinPE or installation DVD boot as your
    mOS. Vista64 is particularly difficult as the mOS boot mode will not
    run 32-bit apps, and 64-bit av tools are not plentiful in early 2007.


    The other way to look for rootkits, is to detect their behavior while
    they are active. This seems a more dangerous approach, given an
    active rootkit is well-positioned to defend itself or take punitive
    action against attempts to remove it, but you may at least be able to
    detect rootkit behavior and maybe point to a file or two, even if it
    isn't prudent to attempt removal from the infected OS.

    Several rootkit behavior detectors are available:
    - Rootkit Revealer from System Internals
    - Blacklight Beta from F-Prot / F-Secure
    - other "beta" rootkit tools from AVG, Trend, Sophos, etc.

    These tools have to be run from the infected OS in as "dirty" a state
    as possible, so they aren't useful from Bart CDR boot, etc. However,
    once you detect the relevant files, you could manage these with less
    (or at least, different) fear of retaliation from Bart boot etc..



    >-------------------- ----- ---- --- -- - - - -

    Running Windows-based av to kill active malware is like striking
    a match to see if what you are standing in is water or petrol.
    >-------------------- ----- ---- --- -- - - - -


      My System SpecsSystem Spec

  8. #7


    Ron Guest

    Re: How do I get rid of a rootkit

    I used the Rootkit Revealer from Sysinternal.
    It detected a lot of problems, mostly in my Internet temp folder.
    It also detected one EXE file: KDIKW.EXE.

    Now how do I fix all the problems???

    Thanks
    Ron

    "Robin T Cox" wrote:

    > On Sat, 24 Feb 2007 10:35:37 +0000, T5 wrote:
    >
    > > Apparently, I have a rootkit installed, part of System Mechanic Software.
    > > Even though I have uninstalled SM, I am told that the rootkit is still
    > > there. How do I identify it and how do I get rid of it?

    >
    > Sysinternals offer Rootkit Revealer:
    >
    > http://www.microsoft.com/technet/sys...tRevealer.mspx
    >
    >


      My System SpecsSystem Spec

  9. #8


    enigma Guest

    Re: How do I get rid of a rootkit


    Hi,
    there are no Rootkits available for Vista.....YET...

    I used a few of the progrmas from
    http://www.antirootkit.com/software/index.htm

    Rootkit unhooker and Icesword are very good but Icesword is hard to
    use.

    hope this help

    enigma


    --
    enigma
    Posted via http://www.vistaheads.com


      My System SpecsSystem Spec

  10. #9


    nweissma Guest

    Re: How do I get rid of a rootkit

    as a paralegal, i will tell you, based on the jurisprudence of contract law,
    and jurisprudence generally ("the clean hands doctrine"), that you are dead
    wrong! -- the law is NOT on the malware author's side!

    on the contrary: their mechanism is ...F R A U D ... and i doubt the courts
    will defend fraud.

    you show me just one case that supports your contention.

    "cquirke (MVP Windows shell/user)" wrote:

    > On Sat, 24 Feb 2007 10:35:37 -0000, "T5" <noanswer@hotmail.com> wrote:
    >
    > >Apparently, I have a rootkit installed, part of System Mechanic Software.
    > >Even though I have uninstalled SM, I am told that the rootkit is still
    > >there. How do I identify it and how do I get rid of it?

    >
    > Firstly: On what basis do you conclude that:
    > - you have a rootkit?
    > - it is related to System Mechanic Software?
    >
    > Is this your issue:
    >
    > http://www.wrensoft.com/forum/showthread.php?t=1451
    >
    > ?
    >
    > If the malware is commercial malware (e.g. DRM) built into a
    > "legitimate" product, then few if any scanners will detect it. The
    > law is on the side of thge malware authors here; by consenting to
    > their EUL"A", they can weasel in whatever junk they want to, and some
    > laws may make it illegal to share know-how on cleaning it up.
    >
    > If the malware is traditional or commercial malware that is outside
    > the package, but stealthed in via a poor distribution "cold chain" or
    > the use of piracy-enabling "cracks", then scanners may detect it, if
    > it is common ITW (In The Wild).
    >
    > Finally, if the malware is external to the app, but is not common ITW,
    > then the app vendor's sites or forums can't help you, and general
    > malware scanners may miss it as well. This is always a risk when
    > downloading cracks, cracked commercial apps, etc.
    >
    >
    > Rootkits alter runtime behavior of the infected OS to hide themselves
    > and/or other files and defend these against removal.
    >
    > So the first step is to scan from an OS that runs no code from the
    > infected code base - what I refer to as "formal" scanning.
    >
    > In DOS and Win9x, you can use DOS mode boot diskette as the
    > maintenance OS (mOS) and from there, use scanners written for DOS,
    > such as available from F-Prot, Sophos, NOD32 etc.
    >
    > You can do the same in XP if you aren't using NTFS, but a far better
    > approach is to use Bart PE builder to build a Bart CDR as mOS, and
    > then use plugged-in or "loose" scanners from there. You can use CLI
    > scanners from McAfee, F-Prot, Sophos, Kaspersky, AVG etc. in this
    > way, as well as some Windows GUI scanners such as Stinger, Trend
    > SysClean etc. You can also use registry-orientated tools via the
    > RunScanner plugin, that allows such tools to operate as if the
    > inactive HD installation registry were in effect.
    >
    > Vista has no equivalent to run Scanner, though you can use Bart for
    > Vista, or use a Vista-native WinPE or installation DVD boot as your
    > mOS. Vista64 is particularly difficult as the mOS boot mode will not
    > run 32-bit apps, and 64-bit av tools are not plentiful in early 2007.
    >
    >
    > The other way to look for rootkits, is to detect their behavior while
    > they are active. This seems a more dangerous approach, given an
    > active rootkit is well-positioned to defend itself or take punitive
    > action against attempts to remove it, but you may at least be able to
    > detect rootkit behavior and maybe point to a file or two, even if it
    > isn't prudent to attempt removal from the infected OS.
    >
    > Several rootkit behavior detectors are available:
    > - Rootkit Revealer from System Internals
    > - Blacklight Beta from F-Prot / F-Secure
    > - other "beta" rootkit tools from AVG, Trend, Sophos, etc.
    >
    > These tools have to be run from the infected OS in as "dirty" a state
    > as possible, so they aren't useful from Bart CDR boot, etc. However,
    > once you detect the relevant files, you could manage these with less
    > (or at least, different) fear of retaliation from Bart boot etc..
    >
    >
    >
    > >-------------------- ----- ---- --- -- - - - -

    > Running Windows-based av to kill active malware is like striking
    > a match to see if what you are standing in is water or petrol.
    > >-------------------- ----- ---- --- -- - - - -

    >


      My System SpecsSystem Spec


How do I get rid of a rootkit
Similar Threads
Thread Forum
Rootkit Revealer Vista security
please help - rootkit problem System Security
Rootkit help PLEASE!!! Vista General
Rootkit Vista General
Rootkit Vista security