Need an antirootkit live CD ASAP

Okay, I've got an infected computer on my hands - Windows Vista, the user had UAC turned off and a rogue antivirus blew right through McAfee and Windows Defender. Between Kaspersky Rescue Disk, MBAM, and HJT I was able to remove most of it, but when I tried using a bunch of antirootkit tools many didn't work, leading me to think that there might be a rootkit infection remaining. But the only tool I was able to get working right - Trend Micro Rootkit Buster - didn't see anything.

So... I'd like to know if there are any antirootkit live CDs out there. I don't mean live antivirus stuff like Kaspersky or Avira, I mean live Linux distros with NTFS support and Windows-compatible antirootkit tools. Does anyone know of anything like that?

(If so please reply ASAP, I want to get this done before tomorrow.)

 

I would recommend Bit Defender which runs Knoppix and will update its definitions to latest if you are connected to the net. http://download.bitdefender.com/rescue_cd/

 

Tried that before as an AV live CD, it wouldn't recognize the monitor properly, and the CLI wouldn't start scanning even after 15 minutes, so I canned it. At any rate, it seems to be antivirus than antirootkit.

I'm thinking something more along the lines of e.g. Trinity Rescue Kit... Is there anything like that, only up to date?

 

http://www.inside-security.de/insert_en.html

How bout this one?

 

THANK YOU!

Edit: err... last version was 2007. :/

 

http://www.backtrack-linux.org/

Sorry about that, this one looks updated to 2010.

 

And thank you. I wasn't aware Backtrack could be used for such purposes.

 

Yep, I remember using this on a heavily infected machine at the univ.

 

Alright I'm gonna need some help here. Backtrack as far as I can tell doesn't have any tools designed to deal with *Windows* rootkits built in. I tried running Gmer in Wine but it didn't work properly. Help?

 

www.ubcd4win.com comes with a anti rootkit, it also runs on Knoppix.

 

Which tool? Rootkitty? It looks extremely primitive and not too useful.

Edit: And I don't have a working Windows install, so I can't create a UBCD4Win disk.

 

Uumm: this might be too slow/not what youre looking for: install prevx free, scan and see what's there ??
If you're really stuck, paid up prevx offers a guaranteed assisted removal service
??

 

Yeah, not what I'm looking for. I know PrevX is supposed to be good against rootkits, but any antirootkit scan on a compromised machine may have compromised results, which is why I'm looking to use a live CD.

Although, it looks as though Kaspersky has good rootkit detection, so I may be in the clear... I hope.

 

If you know what malwares you cleaned you can figure out what rootkits are mostlikely installed.

Linux Live CD doesn't have tools I am familiar with to look around.
Best tool for what you want is UBCD4WIN. Includes Tiny Hexer which can be used to see the MBR, check for multi copies, Sinowal type. Also check the end of disk for data.
Create the UBCD4WIN on a known clean system.

If GMER won't run try Radix, RKU or Root Repeal. Also, Combofix, dds.

 

F-Secure has a rescue CD: Using Linux to Disinfect Windows.

I don't know if it can fix a rootkit infection, but might be worth a try.

-- Tom

 

Try the DrWeb Livecd and the VBA32 Rescue cd, drweb is gui'd while vba32 rescue is not. Both work well in the rootkit detection IMO.

Hth

 

In that case the BitDefender CD with Knoppix should do equally well.

 

I would stay away from Bitdefender, that software is full of bugs, at least it used to be..

Get Avira Live CD, its Linux based and works fine.

 

Well the new one is quite good and their Linux offering is actually excellent.

 

Well I wound up using Avira, which is supposed to have an ARK engine built in. At any rate, it found nothing. Thanks guys.

(BTW Avira Live CD is now able to do online updates.)

 

Hi Gullible Jones,

Do have the MS TechNet: Windows SysInternals tool, RootkitRevealer v1.71, in your toolkit arsenal?

-- Tom

 

Yup. And it wouldn't run on the machine in question. Still no idea why.

At any rate, Rootkit Revealer works from within the untrusted system, which makes its results... untrustworthy. No matter how good an ARK tool like that is, it won't be able to match the capabilities (in theory anyway) of one that runs from a live CD.

 

Hi Gullible Jones,

As the author of RootkitRevealer is quite tallented (MS bought him and his software + one colleague as I recall), it would probably be worth sending him your feedback in the hope that he can come up with a scheme to make it work from a live CD or flash drive.

-- Tom