Will formating my hard drive get rid of a windows root kit? My computer might be infected with one. Thanks!
Windows Root kits
- Thread starter ShinyRocks
- Start date
Probably.
Make sure that you do it from read only media like a floppy disk with the read-only slider on, or a CDROM.
Also shutdown your computer completely down after you format it. So that something won't remain in memory.
Also it may be a good idea to zero-out your harddrive.
All this is extremely paranoid behavior. A simple full-fledged format should be more then enough. No quick format.
Are you sure you have a root kit? What is it?
I know there were some windows root kits aviable, but the nice ones are completely undetectable even by virus scanners and stuff.
Did you figure out how you got infected? Do you use software firewall or a seperate router device to protect yourself or not?
Make sure that you do it from read only media like a floppy disk with the read-only slider on, or a CDROM.
Also shutdown your computer completely down after you format it. So that something won't remain in memory.
Also it may be a good idea to zero-out your harddrive.
All this is extremely paranoid behavior. A simple full-fledged format should be more then enough. No quick format.
Are you sure you have a root kit? What is it?
I know there were some windows root kits aviable, but the nice ones are completely undetectable even by virus scanners and stuff.
Did you figure out how you got infected? Do you use software firewall or a seperate router device to protect yourself or not?
I remember it happened right after I shut down my computer but left my broadband connection wide open. The next day my Sygate firewall tells me my virus program has changed/modified even though I didn't download any update.
I remember reading that you have to dismount something, maybe the hard drive or whatever, in order to dislodge the root kit since it sits between the operating system and the programs you run. Is dismounting whatever the same as formating your hard drive?
I also disagree that root kits are undectable. Here you some reading on that subject: http://www.rootkit.com/vault/joanna/windows_rootkit_detection_joanna.pdf
I remember reading that you have to dismount something, maybe the hard drive or whatever, in order to dislodge the root kit since it sits between the operating system and the programs you run. Is dismounting whatever the same as formating your hard drive?
I also disagree that root kits are undectable. Here you some reading on that subject: http://www.rootkit.com/vault/joanna/windows_rootkit_detection_joanna.pdf
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
If the computer is off it can't be infected because nothing can run while the OS is shutdown.
You'd be wrong, if the rootkit is good it'll install a kernel module or driver that intercepts attempts to find it (read files, check memory, md5sums, etc) and return what you're expecting to find instead of what's really there. If you think yo'ure infected you can't trust the system at all, you need to check from known good media (Linux boot CD like Knoppix or WinPE boot CD or something).
However, some DSL modems have exploitable firmware. That could then be used to exploit your computer once it is turned on.
I'd be more worried about the simple consumer routers being vunerable then the modems. 
I suppose DSL modems are complex enough to be vunerable, but I never thought about that before.
There have been a few router/firewall that have had serious flaws in them that can be exploited. Firmware updates can fix them.
Then again there are a few bad seeds like some of Belkin's home routers that were intentionally designed to hijack a browser requests from it's clients computers and send them to advetisments on the web!! I think it did one in 60 requests on port 80 or something like that. They were hoping nobody would catch on and they would make a bit on the side from the advertising revenue!
If I was a hacker that wanted to attack someone with a specific IP address, but had his computer turned off, I would simply write a script that would ping his computer every ten or fifteen minutes with one packet. Once it responded then I would have the script do whatever exploit I wanted to try out on him in order to get my code (the trojan, rootkit, whatever) to run on his computer. That way I don't have to try to hack a turned off computer!
I'm still interested in how you determined that your computer was hacked. Plenty of rootkits are easily detectable with anti-virus tools, and I suppose that many trojans can be identified as root kits by some companies because they sound scarier.
But I also know that since it's hard to detect some kits you can get false positives with some software.
I remember that chkrootkit (a common linux rootkit detection tool) has warned me several times that I may have a possible LKM rootkit installed on my computer. This was because it found proccesses running and detected them thru the /proc/ directory, but they didn't turn up in a "ps" command.(or visa versa, It was a while ago) Got me worried for a while! But it turned out to be a bug with the kernel and it didn't correctly indicate a couple kernel-specific deamons.
I suppose something like that could happen in windows easily, too. It would suck to have to reinstall over nothing.
Like it was said before the only realy reliable way to detect them is to boot up on seperate protected media (like a knoppix CD) and then try to detect them. That way the rootkit would have no way to protect itself from system scans and stuff like that since it would be dorment.
I suppose DSL modems are complex enough to be vunerable, but I never thought about that before.There have been a few router/firewall that have had serious flaws in them that can be exploited. Firmware updates can fix them.
Then again there are a few bad seeds like some of Belkin's home routers that were intentionally designed to hijack a browser requests from it's clients computers and send them to advetisments on the web!! I think it did one in 60 requests on port 80 or something like that. They were hoping nobody would catch on and they would make a bit on the side from the advertising revenue!
If I was a hacker that wanted to attack someone with a specific IP address, but had his computer turned off, I would simply write a script that would ping his computer every ten or fifteen minutes with one packet. Once it responded then I would have the script do whatever exploit I wanted to try out on him in order to get my code (the trojan, rootkit, whatever) to run on his computer. That way I don't have to try to hack a turned off computer!
I'm still interested in how you determined that your computer was hacked. Plenty of rootkits are easily detectable with anti-virus tools, and I suppose that many trojans can be identified as root kits by some companies because they sound scarier.
But I also know that since it's hard to detect some kits you can get false positives with some software.
I remember that chkrootkit (a common linux rootkit detection tool) has warned me several times that I may have a possible LKM rootkit installed on my computer. This was because it found proccesses running and detected them thru the /proc/ directory, but they didn't turn up in a "ps" command.(or visa versa, It was a while ago) Got me worried for a while! But it turned out to be a bug with the kernel and it didn't correctly indicate a couple kernel-specific deamons.
I suppose something like that could happen in windows easily, too. It would suck to have to reinstall over nothing.
Like it was said before the only realy reliable way to detect them is to boot up on seperate protected media (like a knoppix CD) and then try to detect them. That way the rootkit would have no way to protect itself from system scans and stuff like that since it would be dorment.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter