Is there some file browser that uses low level functions to browse hard disk?

1

1

I have Windows 7, NTFS hard disk. I have detected rootkit files but can't delete them through Windows explorer, obviously because they are not visible. Is there some other file browser that is using low level function calls, lower that win api, so that I can try to see and study these files before removal. I know the exact locations. I know that I can load some live CD and delete them, but I wonder about the first possible solution.

watbywbarif

Posted 2011-02-16T21:07:17.713

Reputation: 590

Pointless: once your system has been compromised at such a low level, the only sane solution is formatting it. – o0'. – 2014-02-22T13:14:18.553

Answers

7

Windows purposefully tries to prevent you from directly accessing hardware -- it's kind of the point. ;) So if Windows has been compromised by a Rootkit (especially a kernel-level one) then you pretty much have to access the file system from another OS (Windows or not -- just not the infected OS) to do anything with the infection's files.

From Wikipedia:

"The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected. In other words, rootkit detectors that work while running on infected systems are only effective against rootkits that have some defect in their camouflage, or that run with lower user-mode privileges than the detection software in the kernel"

From MS' RootkitRevealer page:

"Is there a sure-fire way to know of a rootkit's presence?

In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them."

Hope that helps...

Ƭᴇcʜιᴇ007

Posted 2011-02-16T21:07:17.713

Reputation: 103 763

1+1 the only good answer so far – matthias krull – 2011-02-16T22:51:57.063

+1 - if a high level function can be hooked by a rootkit, so can a kernel level function. – afrazier – 2011-02-16T23:25:09.487

Nice answer but I am still interested in some kind of tool which can display file system with lower kernel functions, or using its own disk access functions. I noticed that rootkit is not using c:\xxx notation. He is accessing this by \Devices....\xxx notation. I can't remember complete path he used, but I wonder if I can access this files same way. – watbywbarif – 2011-02-24T10:54:58.980

2

GMER would be a good start to find out what's there and then you could boot a Live CD and copy the files you want to a different place/partition or USB stick - the tools on Parted Magic would help you do this.

GMER is an application that detects and removes rootkits. It scans for:

  • hidden processes
  • hidden threads
  • hidden modules
  • hidden services
  • hidden files
  • hidden Alternate Data Streams
  • hidden registry keys
  • drivers hooking SSDT
  • drivers hooking IDT
  • drivers hooking IRP calls
  • inline hooks

Linker3000

Posted 2011-02-16T21:07:17.713

Reputation: 25 670

1

Boot from an Ubuntu CD to browse the drive

Related article here

http://www.howtogeek.com/howto/windows-vista/use-ubuntu-live-cd-to-backup-files-from-your-dead-windows-computer/

.

You would be better off using the method below to disinfect your PC

.

1.) On a PC that is Not infected, Make a boot AV disc then boot from the disc on the Infected PC and scan the hard drive, remove any infections it finds, I prefer the Kaspersky disc myself. The New 2010 Kaspersky disc can update the AV dat files if you are connected to the internet at the time of scan and is suggested to update before the scan.

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

2.) Then: Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

3.) When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects. http://www.superantispyware.com/download.html

These last 2 are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with your installed AV, these can be run once a day or week to ensure you are not infected. Be sure you update them before each daily-weekly scan.

.

Moab

Posted 2011-02-16T21:07:17.713

Reputation: 54 203

Asked: 2011-02-16T21:07:17.713

Viewed: 1 059 times

Active: 2014-02-22T11:27:49.973