Results 1 to 9 of 9

Thread: Removing Windows rootkits with Backtrack?

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    3

    Default Removing Windows rootkits with Backtrack?

    Someone I know got their Windows Vista PC infected with one of those obnoxious fake antivirus apps. Between Kaspersky Live CD, MBAM, and HJT I seem to have removed most of it... However, when I was attempting to scan for any rootkits that might be present, most of the ARK tools I tried failed to run or were hampered in some way. I'm not sure, but because of that I suspect that some component of the malware is still in hiding on the machine.

    (A rootkit is a definite possibility from what I can see; UAC was off at the time so the machine was exploited with full admin privileges.)

    Anyway... I've got no working Windows install at the moment, so no BartPE or UBCD4Win unfortunately. What I do have is SystemRescueCD (with the latest version of ClamAV, for whatever that's worth), Kaspersky Live, and of course a Backtrack 4 DVD I just burned.

    I've heard that Backtrack is very good for forensics and the like, and so might be a good choice for finding a rootkit on a Windows partition. Problem is I don't know my way around any of the forensics tools; they all look very advanced and not very user-friendly. So, if I'm looking for a rootkit on the Vista partition, what should I use and how?

  2. #2
    Senior Member hypervista's Avatar
    Join Date
    Feb 2010
    Posts
    121

    Default Re: Removing Windows rootkits with Backtrack?

    I suggest your friend download and run one, or both of these:

    TrendMicro Rootkit Buster

    Sophos Anti-Rootkit

    SysInternals' (Now Microsoft) RootkitRevealer is okay, but tends to give lots of false positives.

    RootkitRevealer
    Last edited by hypervista; 05-17-2010 at 08:35 PM.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    3

    Default Re: Removing Windows rootkits with Backtrack?

    Thanks... I tried RootkitBuster, it came up with nothing. Haven't tried Sophos yet though, I'll see if it finds anything.

    Main problem though is that an ARK tool running on the installed system can't be trusted if said system is infected. I suppose the more up to date ARK tools (Rootkit Unhooker and the like) may be more trustworthy, but those tend to require more expertise than I have, which is why I wanted to do this from a live CD.

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default Re: Removing Windows rootkits with Backtrack?

    those fake antivirus things can be easily removed with combofix.exe

  5. #5
    Just burned his ISO
    Join Date
    Apr 2010
    Location
    America
    Posts
    16

    Default Re: Removing Windows rootkits with Backtrack?

    is it the fake ones like vista guardian or whatever because the affect the windows registry and i found the easiest way to get rid of those is to do a system restore then run the anti virus and root kit stuff. thats always worked for me on windows vista and xp.

  6. #6
    Just burned his ISO Josh13x12's Avatar
    Join Date
    Sep 2007
    Posts
    4

    Default Re: Removing Windows rootkits with Backtrack?

    I say the easiest way to get rid of those fake antivirus programs is to start your computer in safe mode. Then go to run and type in msconfig and look for unfamiliar startup programs and go to the source and delete them manually. Usually those kinds of programs are in hidden directory so your gonna have to unhide folder and files. Always works for me when i get those annoying fake antivirus programs.

  7. #7
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: Removing Windows rootkits with Backtrack?

    I've been successfully removing those fake AV spyware applications for a long time and combofix is the best tool for the job. 99% of the time it will remove everything except for maybe one or two unimportant registry values. Combofix is by far the easiest most effective way to remove those spyware applications.

    If you are really dealing with a rootkit then yes you can use backtrack to remove it but that would be a waste of time since it is not made for such a thing. What you really want to do is get that hard drive plugged into another machine with fully updated anti-malware programs that can scan your drive. Any bootable cd that can mount your "infected" hard drive has the ability to remove the rootkit files. Using something such as UBCD that has built in anti-malware programs is one of your best options.

    Bottom line: get the right tool for the job.

  8. #8
    Just burned his ISO
    Join Date
    May 2010
    Posts
    10

    Default Re: Removing Windows rootkits with Backtrack?

    I think UBCD4win is the best option.
    You can use the hex editors to check the MBR space and end of disk, dump n' load the registry hive, run multi AV scanners.
    Just make sure you build the UBCD4win on a known clean system.

    If you have copies of Windows system files I don't see why you couldn't use any LiveCD, Backtrack included, to replace them on the infected disk.

    @Gullible Jones
    But you probably know this stuff better than I do.

  9. #9
    Junior Member
    Join Date
    Feb 2010
    Posts
    43

    Default Re: Removing Windows rootkits with Backtrack?

    For such cases my favourite tool is Malwarebytes which is free tool, i highly recommend.

Similar Threads

  1. Hacker Defender / Rootkits in general
    By Danboy in forum OLD Pentesting
    Replies: 11
    Last Post: 08-21-2009, 06:19 AM
  2. Help removing distro in favour of BT3
    By danez in forum OLD Newbie Area
    Replies: 0
    Last Post: 09-26-2008, 09:30 AM
  3. BT2 Can't boot after removing windows XP
    By goldmax in forum OLD BackTrack v2.0 Final
    Replies: 2
    Last Post: 07-06-2008, 10:13 PM
  4. Replies: 2
    Last Post: 04-19-2008, 02:50 AM
  5. Removing Backtrack2
    By Mr Smiley in forum OLD Newbie Area
    Replies: 2
    Last Post: 03-13-2007, 06:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •