On Rootkits...

[Duncan McC]

What are the experts opinions on Sysinternals rootkit tool?

--
Duncan

[Ted Zieglar]

I have a pretty good understanding of that tool, but I don't know what type
of "opinion" you're looking for, and I don't know if I'd qualify as an
"expert" in your eyes.
--
Ted Zieglar
"A fool and his data are soon parted."

"Duncan McC" <ha...@work.ok> wrote in message
news:MPG.1e8bf46ef...@news.microsoft.com...

[Kerry Brown]

Duncan McC wrote:
> What are the experts opinions on Sysinternals rootkit tool?

It works to find some rootkits. By nature rootkits are hard to detect. The
tool points out discrepencies and it's up to the user to interpet the
results. I use it and was able to find a root kit on one computer. It was an
academic exercise. The computer was so messed up it needed a clean reinstall
anyway.

--
Kerry

[Ted Zieglar]

Even if a rootkit is discovered, I do not believe there is a tool that can
remove it -- not yet, at least. All malware removal tools currently
available rely on the operating system in one way or another, and once a
rootkit has embedded itself the operating system has been compromised and
can no longer be trusted.

Removing a rootkit requires either a sophisticated knowledge of file systems
and rootkit technology or a clean install. Rootkit Revealer's significant
contribution - and it is by no means a finished work - is its ability to
identify anomalies in the OS that may possibly be rootkits. Previously,
rootkits were undetectable.

--
Ted Zieglar
"A fool and his data are soon parted."

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:u8L$p1bTGH...@TK2MSFTNGP09.phx.gbl...

[Kerry Brown]

Ted Zieglar wrote:
> Even if a rootkit is discovered, I do not believe there is a tool
> that can remove it -- not yet, at least. All malware removal tools
> currently available rely on the operating system in one way or
> another, and once a rootkit has embedded itself the operating system
> has been compromised and can no longer be trusted.
>
> Removing a rootkit requires either a sophisticated knowledge of file
> systems and rootkit technology or a clean install. Rootkit Revealer's
> significant contribution - and it is by no means a finished work - is
> its ability to identify anomalies in the OS that may possibly be
> rootkits. Previously, rootkits were undetectable.
>

> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:u8L$p1bTGH...@TK2MSFTNGP09.phx.gbl...
>> Duncan McC wrote:
>>> What are the experts opinions on Sysinternals rootkit tool?
>>
>> It works to find some rootkits. By nature rootkits are hard to
>> detect. The tool points out discrepencies and it's up to the user to
>> interpet the results. I use it and was able to find a root kit on
>> one computer. It was an academic exercise. The computer was so
>> messed up it needed a clean reinstall anyway.
>>
>> --
>> Kerry

I was able to remove the rootkit with BartPe but as I said things were so
messed up by that point it needed a clean install. The computer had been
taken over and was being used as a porn ftp server completely unknown to the
customer. It was running really slow and their hard drive was full so they
brought it to me for repair. It was an illuminating experience figuring out
what had been done. A remote control trojan had been installed. Once they
had control they resized the system partition, created a hidden partition
filled with porn, and installed the root kit which was running a ftp server.

--
Kerry

[Ted Zieglar]

That was a fascinating post...resizing partitions, setting up ftp servers,
hide it all in a rootkit...if it wasn't such a criminal thing to do, you'd
have to admire the creators of a very sophisticated piece of software.

To paraphrase Maxwell Smart: If only they would use their knowledge for
niceness instead of evil.

--
Ted Zieglar
"A fool and his data are soon parted."

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:OOEJ%234hTG...@TK2MSFTNGP12.phx.gbl...

[Kerry Brown]

Ted Zieglar wrote:
> That was a fascinating post...resizing partitions, setting up ftp
> servers, hide it all in a rootkit...if it wasn't such a criminal
> thing to do, you'd have to admire the creators of a very
> sophisticated piece of software.
>
> To paraphrase Maxwell Smart: If only they would use their knowledge
> for niceness instead of evil.
>

It was amazing. It was very sophisticated work. It took me most of a day to
figure out what had been done. It also made me aware of what can be done. I
am much more conscious of security after seeing that. I can't imagine the
embarrassment when the police show up and confiscate your daughter's
computer for distributing porn. I'm sure the police would quickly figure it
out but in the meantime the press would be all over it. Their reputation
would have been ruined. It's a small town here.

--
Kerry

[Mark Randall]

"Duncan McC" <ha...@work.ok> wrote in message
news:MPG.1e8bf46ef...@news.microsoft.com...

> What are the experts opinions on Sysinternals rootkit tool?

Just to point out the obvious...

The people that make SysInternals tools *ARE* a pair of the worlds top
experts.

--
- Mark Randall
http://www.temporal-solutions.co.uk

"We're Systems and Networks..."
"It's our job to know..."

[Patrick Dickey]

Mark Randall wrote:
> "Duncan McC" <ha...@work.ok> wrote in message
> news:MPG.1e8bf46ef...@news.microsoft.com...
>> What are the experts opinions on Sysinternals rootkit tool?
>
> Just to point out the obvious...
>
> The people that make SysInternals tools *ARE* a pair of the worlds top
> experts.
>

Excellent point. I would add (even though I'm far from being an expert)
that SysInternals Rootkit Revealer (and any other 'rootkit revealer'
programs for that matter) are just one piece of the puzzle. As
Panda_Man pointed out in his own way, you also need a good anti-virus.
And, you should also invest in a good firewall and antispyware.

All of these, coupled with good surfing practices and security measures
inside of your browser (including but not limited to the use of a
different browser then IE) are what is required to keep you safe.

HTH
Patrick.

[WealthGuru]

Speaking of "daughters".........we have a machine that seems to be
"controlled "by "profiles byte"; hijacks IE and won't allow browsing until
you click thru. Have scoured registry, all places this neophyte can see and
no luck.
--
10natious

[Kerry Brown]

Have you tried the standard methods of removing spyware?

http://www.elephantboycomputers.com/page2.html#Removing_Malware

http://www.mvps.org/winhelp2002/unwanted.htm

--
Kerry
MS-MVP Windows - Shell/User

WealthGuru wrote:
> Speaking of "daughters".........we have a machine that seems to be
> "controlled "by "profiles byte"; hijacks IE and won't allow browsing
> until you click thru. Have scoured registry, all places this neophyte
> can see and no luck.
>

[Zoned]

There are more rootkit removers at www.antirootkit.com,

regards
Zoned

[Wildthing]

How do I get rid of rootkit and is it bad for my system ?

--
Wildthing

"Panda_man" wrote:

> My reply is at the bottom of your message :

> To detect a rootkit , you need a System Explorer (such as that of
> Sysinternals) and a very good security software such as Nod32 or Panda . They
> both detect rootkits and kill most because they have either advanced
> heuristic or behaviour analyze functions .
>
> Panda_man
> --
> Prevention is always better than cure !
> --
> My web page:
> http://pandaman.my.contact.bg
> Learn how to protect your computer:
> http://www.microsoft.com/protect
> Please , rate posts

[Shenan Stanley]

Wildthing wrote:
> How do I get rid of rootkit and is it bad for my system ?

Search using Google!
http://www.google.com/
(How-to: http://www.google.com/intl/en/help/basics.html )

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

[Ted Zieglar]

You can't and yes.

--
Ted Zieglar
"Backup is a computer user's best friend."

"Wildthing" <Wild...@discussions.microsoft.com> wrote in message
news:1928B8AD-7008-409F...@microsoft.com...

[Imhotep]

Wildthing wrote:

> How do I get rid of rootkit and is it bad for my system ?
>

...are you serious?

[Tom [Pepper] Willett]

...once again, the troll you are.

"Imhotep" <imh...@nospam.com> wrote in message
news:JLqdneMfkYhuNerZ...@adelphia.com...

[Imhotep]

Tom [Pepper] Willett wrote:

> ...once again, the troll you are.

Really? I was asking a serious question. You are just wasting my time. Yet
again, it seems you are the foolish troll....

Idiot....

--Im

[Alun Jones]

Ted Zieglar wrote:
> "Wildthing" <Wild...@discussions.microsoft.com> wrote in message
> news:1928B8AD-7008-409F...@microsoft.com...
>> How do I get rid of rootkit and is it bad for my system ?
>

> You can't and yes.

That's a needlessly pessimistic assessment.

The answer is more that if you know what the root kit is, and if there has
been no subsequent infection, then yes, you can use whatever removal tools
exist, and stand a good chance of rescuing your system.

If you want anything better than "a good chance", or you're not sure of the
"if"s, you'll want to reformat and reinstall the system.

Of course, if you install the system exactly the same way as you did, and
use it in exactly the same way as you did, you'll find yourself infected
again with the same rootkit.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | al...@wftpd.com.
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.