Hi all, I'm new to the forums. I'm glad to be here and I look forward to learning a lot. I'll start my first post with a poll. I use GMER and F-Secure Blacklight. Which anti-rootkit(s) do you use?
TrendMicro RootkitBuster Thank you for this interesting list, unfortunately many of them are incompatible with Win 7
On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place.
Meriadoc, why use a debugging tool when you can use an actual antirootkit that finds rootkits themselves?
Of course it is one of the best tools for this. By using, knowing how to use WinDbg you may not limit yourself to the power of an ark while applying the same sort of approaches as antirootkit tools use. [expanded post]
Likewise for me(although I'm not good enough to service computers!). I used F-Secure Blacklight in the past and Avira lately but I doubt I will ever find anything as nothing will execute without my approval and in a virtual environment.
True, but that is only of any use to people with a higher than intermediate knowledge of Kernel debugging. This will rule out about 95% of the people here. Also, reformats are caused by these things than anything else! Thanks for the link, but that version is unstable. What is the most stable version?
But arks need knowledge, the useful tools that generate the same information as WinDbg, are also advanced tools. Actually some of the learning curve of WinDbg isn't so steep. For example, using a good antirootkit tool such as Rku, RootRepeal or Kernel Detective we can look up hooked entries in the SSDT, System Service Table and IDT, interrupt dispatch table - some tools highlight these in red. In WinDbg we can also do this by dumping said table using the command "!idt -a". You could look for patched functions with - "!chkimg -d nt". What you need to do is interpret the output, for example... List processes in WinDbg "!process 0 0" - then compare with the list in a process explorer say Sysinternal's tool, Task Manager or Process Hacker. A discrepancy would point to a rootkit. Ark's simplify some of this by showing you what is hidden, some of the information needs the user to investigate further. I've never had to reformat due to using WinDbg.
Stable here so far. Previous RkU release blog entry RkU3.8.380.580 Or Windows 2000 fix RkU3.8.380.581
tester, I say that simply becuase it isn't the latest antirootkit out there. It hasn't been updated since Jan 2008. Also, it's only compatible with Windows 2000 and Windows XP.
I see. I thought it was updated about 3 months ago. Can't find confirmation, so I may be wrong about that.
the Tester, is this usec.at Radix 1.0.0.9 released forum post of August 20th, 2009, what you were thinking about? Re: Radix Anti-Rootkit