How can I best detect AND remove rootkits from my Windows XP Pro system?
Nowadays, Almost every respected AntiVirus vendor integrates a rootkit detector in it's product. Removing rootkits can get very bothering. What you, basically want to do, is boot the system in safe mode or even better, boot it from a rescue disc and then start scanning. Sometimes it's even better to restore to a clean safe system. It's always advisable to make a system image which you know is perfectly clean. Otherwise you can specificly search Google for Detecting&Removing rootkits software.
rootkit A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at the lowest level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. Rootkits came from the Unix world and started out as a set of altered utilities such as the ls command, which is used to list file names in the directory (folder). Legitimate Rootkits? Rootkits can also be used for what some vendors consider valid purposes. For example, if digital rights management (DRM) software is installed and kept hidden, it can control the use of licensed, copyrighted material and also prevent the user from removing the hidden enforcement program. However, such usage is no more welcomed than a rootkit that does damage or allows spyware to thrive without detection. See Trojan.
For the Windows platform there are many free detection tools such as Blacklight. Another Windows detector is RootkitRevealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from--so in essence, they remove the differences between the two listings, and the detector doesn't report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. These features are now included in the latest release of Rkdetector and Rootkit Revealer so now there is no need to rename.
The search for people who can answer your question continues for as long as needed - until you find the answer you were looking for.
When an answer is posted by someone who was invited (byYedda or by yourself) to answer your question, their answer is marked with a yellow "invited by Yedda".
To be invited to answer other people's questions in your areas of knowledge and interest, be sure to list your favorite topics:
» My Settings › My Topics.
Of course, the more helpful your answers are, the more likely you are to be invited to future questions...
Kurt Dillardi program manager with Microsoft Solutions for Security, wrote the follwoing piece:
Detection and removal is still frustrating. Aside from a few established rootkit detection tools, including VICE, Patchfinder2 and klister, many tools were written by the same people who created rootkits. I don't know about you, but I have a hard time entrusting malware authors to clean up compromised computers.
However, several things happened in February to shine the spotlight on rootkits and prompt the creation of new detection tools. Beyond Fear author Bruce Schneier's rootkit mention in his blog and a presentation Mike Danseglio and I gave on Windows rootkits at the RSA Conference received a surprisingly extensive amount of press. Since then, security vendors Sysinternals and F-Secure Corp. have released standalone tools for their existing security suites to deal with rootkits. Microsoft has also added rootkit detection and removal to its Microsoft Malicious Software Removal tool, which it updates monthly.
Unfortunately, each time an existing tool is updated or a new tool is released, many rootkit authors update their malware to avoid detection. This results in an ongoing cat and mouse game that leaves systems administrators and computer users victimized.
All of this may sound terribly depressing, but there are effective measures you can implement to minimize the risk of being afflicted by rootkits or spyware. You should already be taking the following steps to secure your organization against this type of malware:
We will explore a defense-in-depth approach to protecting your computers and networks in a later article in this series. In the meantime, check out Strider, a Microsoft research project for maintaining system integrity.
burl wood
you need a unique software "Rootkit Remover".
Got an answer for Fons? Would you like to comment on the posted answers, or vote for the one which you think is the best?
Sign up for a free account, or sign in (if you're already a member).
Other people asked questions on similar topics, check out the answers they received:
Other people asked questions on various topics, and are still waiting for answer. Would be great if you can take a sec and answer them
