Someone I know got their Windows Vista PC infected with one of those obnoxious fake antivirus apps. Between Kaspersky Live CD, MBAM, and HJT I seem to have removed most of it... However, when I was attempting to scan for any rootkits that might be present, most of the ARK tools I tried failed to run or were hampered in some way. I'm not sure, but because of that I suspect that some component of the malware is still in hiding on the machine.
(A rootkit is a definite possibility from what I can see; UAC was off at the time so the machine was exploited with full admin privileges.)
Anyway... I've got no working Windows install at the moment, so no BartPE or UBCD4Win unfortunately. What I do have is SystemRescueCD (with the latest version of ClamAV, for whatever that's worth), Kaspersky Live, and of course a Backtrack 4 DVD I just burned.
I've heard that Backtrack is very good for forensics and the like, and so might be a good choice for finding a rootkit on a Windows partition. Problem is I don't know my way around any of the forensics tools; they all look very advanced and not very user-friendly. So, if I'm looking for a rootkit on the Vista partition, what should I use and how?
Last edited by hypervista; 05-17-2010 at 08:35 PM.
Thanks... I tried RootkitBuster, it came up with nothing. Haven't tried Sophos yet though, I'll see if it finds anything.
Main problem though is that an ARK tool running on the installed system can't be trusted if said system is infected. I suppose the more up to date ARK tools (Rootkit Unhooker and the like) may be more trustworthy, but those tend to require more expertise than I have, which is why I wanted to do this from a live CD.
those fake antivirus things can be easily removed with combofix.exe
is it the fake ones like vista guardian or whatever because the affect the windows registry and i found the easiest way to get rid of those is to do a system restore then run the anti virus and root kit stuff. thats always worked for me on windows vista and xp.
I say the easiest way to get rid of those fake antivirus programs is to start your computer in safe mode. Then go to run and type in msconfig and look for unfamiliar startup programs and go to the source and delete them manually. Usually those kinds of programs are in hidden directory so your gonna have to unhide folder and files. Always works for me when i get those annoying fake antivirus programs.
I've been successfully removing those fake AV spyware applications for a long time and combofix is the best tool for the job. 99% of the time it will remove everything except for maybe one or two unimportant registry values. Combofix is by far the easiest most effective way to remove those spyware applications.
If you are really dealing with a rootkit then yes you can use backtrack to remove it but that would be a waste of time since it is not made for such a thing. What you really want to do is get that hard drive plugged into another machine with fully updated anti-malware programs that can scan your drive. Any bootable cd that can mount your "infected" hard drive has the ability to remove the rootkit files. Using something such as UBCD that has built in anti-malware programs is one of your best options.
Bottom line: get the right tool for the job.
I think UBCD4win is the best option.
You can use the hex editors to check the MBR space and end of disk, dump n' load the registry hive, run multi AV scanners.
Just make sure you build the UBCD4win on a known clean system.
If you have copies of Windows system files I don't see why you couldn't use any LiveCD, Backtrack included, to replace them on the infected disk.
But you probably know this stuff better than I do.
For such cases my favourite tool is Malwarebytes which is free tool, i highly recommend.