5
1
Answering the question "Task Manager shows 100% CPU utilization, but nothing in process list does.", Paul Woodward stated that his problem with 100% CPU was a rootkit infecting his computer. My computer seems to suffer from the same problem.
Which software for Windows XP do you recommend for detecting and removing a rootkit?
Leonel Martins
Posted 2009-07-28T23:51:29.007
Reputation: 256
6
I don't think you can actually use it to 'clean' a rootkit, but a very good 'detector' is RootkitRevealer from Sysinternals.
fretje
Posted 2009-07-28T23:51:29.007
Reputation: 10 524
5
I wouldn't trust any of them. Once you've been "pwned", the best thing to do is start with a fresh system install.
Soon not even that will be enough. I've heard of malware that will find an EEPROM chip on your motherboard and over-write it with it's own firmware. The new firmware will duplicate the functionality of the previous firmware, but also have a copy of the virus waiting to install when that code is invoked. So you could completely reformat your hard drive and still be infected.
Joel Coehoorn
Posted 2009-07-28T23:51:29.007
Reputation: 26 787
1Indeed,, reinstalling looks like the best way. Maybe, the conclusion from this thread is if you find a rootkit in you computer, do a fresh install. But, how can i reliably find my machine have been "pwned"? – Leonel Martins – 2009-07-29T01:30:11.917
1Ironically enough, the best protection against EEPROM rootkits is old-school jumpers -- set it read-only with a jumper and that infection just isn't going to happen. Not sure if board manufacturers will be bringing them back anytime soon though -- they're probably hanging out with Betamax tapes at this point. – romandas – 2009-07-29T03:23:20.603
1Oh, and +1 -- have rootkit == nuke and pave from safe media. You just can't know if it's all gone anymore. A/V is a crutch. – romandas – 2009-07-29T03:24:25.733
Ultimately where we're going is subsidized netbooks with all your data kept online. You get cell phone data plan + insurance, and it includes the netbook. You get a virus, you just swap it for a new one from your carrier. – Joel Coehoorn – 2009-07-29T13:21:41.363
Um. How about using Linux or Mac and VMWare, and bye-bye to Windows, which is, IMHO, the original Rootkit. – Warren P – 2010-07-30T18:42:30.563
4
I think the pro version of AVG has root-kit protection and removal.
Personaly, if i found my windows box infected with a rootkit, I would just reformat and reinstall the OS. Even if there was a good tool out there that says it removed everything, I just would have a better peace of mind just reinstalling it all.
Troggy
Posted 2009-07-28T23:51:29.007
Reputation: 10 191
Maybe you´re right. Probably, i´ll walk this path... If i find that rootkit infected my machine, i´ll reinstall from scratch. And, perhaps, its a resason to move to Windows 7. ;-) – Leonel Martins – 2009-07-29T00:08:28.410
Yep, reinstall all the way. A rootkit problem, to me, means that you can no longer trust the most fundamental part of your system: the OS. – moobaa – 2009-07-29T04:19:03.657
2
I use a program called "Malware Bytes" It is free and it works great. It kills nasty malware and rootkits.
Axxmasterr
Posted 2009-07-28T23:51:29.007
Reputation: 7 584
Thanx, i´ll look it. And post my thoughts later. – Leonel Martins – 2009-07-29T01:27:05.137
i ran it and it seems a good piece of software. But nothing apeared. I think is a hardware problem because now my computer totally freezes. And I have to power-off and power-on to get it working again. – Leonel Martins – 2009-07-31T23:35:07.713
0
There is also sophos anti-rootkit which they claim can remove rootkits. It's a free download but you have to set up an account with them first. I've not had a chance to test the veracity of their claims myself (thankfully).
Shane Kearney
Posted 2009-07-28T23:51:29.007
Reputation: 611
Thanx, i´ll look it. And post my thoughts later. But it seems a hardware problem because i ran the others sugentions and nothing apeared. And now my computer totally freezes. I have to power-off and power-on to get it working again. – Leonel Martins – 2009-07-31T23:33:43.520
0
currently trying in vain to remove a rootkit problem on my pc, not having any luck.
have tried avg (my current main antivirus) which doesnt find anything have tried the microsoft online live scanne which didnt find anything have tried prevx which misidentified Tor as malware malwarebytes never finds anything either superantispyware found a rootkit and removed it, but didnt completely fix the problem
have tried thestubware which was recommended to me on here, and it finds the rootkit, but each time it removes it, when i reboot it comes back again with a different file name.
am going to try sophos rootkit revealer now.
mack nordstrum
Posted 2009-07-28T23:51:29.007
Reputation: 264
0
You might have a rootkit on the computer, in which case you should run HitManPro 3.5, which will detect the TDL3/TDSS/Alueron rootkit.
If you are absolutely sure you have a rootkit, run one of the following (in order of importance)
JFB
Posted 2009-07-28T23:51:29.007
Reputation: 155
0
For the record, I've got to suggest PrevX.
When I had malware problems a while ago (initially noticed by some vague McAfee access-protection violation) I was scanning and submitting suspect files all over the shop. [I seem to recall about 25% of the online scanners recognised anything wrong with the files at all - but wouldn't agree on what the problem was.] I went through all the removers and/or manual steps I could find, but those bad files just kept coming back.
PrevX (which was free to download and scan - you had to pay for removal) only gave some kind of generic name for the infection but I decided to throw my £20 quid at them as a last resort because:
a) I was getting desperate: I was about to have to do a reinstall just as a work deadline was resuming;
b) Some prevx fellas were providing some extremely active and knowledgeable support on a forum somewhere and I think that was the only relevant mention of the combination of bad files I was finding on my machine.
c) IIRC, they had some deal where if PrevX didn't remove the infection they promised to personally investigate (like remoting onto your machine or something) - and was it a refund too?
(I'm definitely not affiliated or anything. Was just entirely satisfied by a product that did what I needed it to do at the right time. And, um, I'll renew my lapsed subscription next time I find a problem!)
mwardm
Posted 2009-07-28T23:51:29.007
Reputation: 101
Yeah, i feel that there is no easy solution. RootkitRevealer looks like a good scanner. I´m trying it right now. – Leonel Martins – 2009-07-29T00:05:13.953
1+1 for anything from SysInternals. Bonus because you don't have to install anything. You can run it directly from the site download link. – Robert Cartaino – 2009-07-29T00:24:56.733
I like SysInternals alot, but in this case, the real problem was what the hell to do with the info what I got back – D'Arvit – 2010-06-09T14:03:28.447
@Pajarito: You could ask it here... ;-) – fretje – 2010-06-09T14:15:17.677
I accepted your question because, like @Robert said, its from SysIternals and it runs directly from the download (no need to install). – Leonel Martins – 2009-08-04T01:00:00.597
2FORMAT your hard disk. Best rootkit cleaner there is. – Warren P – 2010-07-30T18:36:45.070