SysInternals Rootkit Detector

SysInternals Rootkit Detector

Viruses! Trojan Horses! Spyware! Once your machine has been infected, you’re never quite sure if you’ve gotten rid of everything. I just read on Slashdot that the guys at SysInternals have released a free Rootkit Detector, which is just the sort of thing you need to help ferret out the really nasty stuff. Mac users may go outside and snicker while the rest of us get on with this post!

The SysInternals people also run WinInternals…these two sites is the highest authority, as far as I’m concerned, when it comes to grokking the subtleties of Windows kernel technology. Their utilities have been saving my ass since the early 90s, and their writing has always been clear, concise, and illuminating. They absolutely rock!

The SysInternals Rootkit scanner operates on one basic premise: comparing the deepest, darkest level of Windows system information with what is reported on the surface to applications. Spyware and malware often hide themselves from the Windows process registry (though there are some valid ones too). I believe it also scans for specific known rootkit signatures. It runs quickly either from the command line or from a window. Nothing fancy looking…my first run didn’t reveal anything unusal except for an “access denied” for controlset clsid 4d36e965-e325-11ce-bfc1-08002be10318, which is apparently related to the CD-ROM or DVD drive and not to be worried about.

I suspect it may be helpful in saving some time…when I suspect I’ve been hit, it’s quite a production to go back to happy computing land: I reformat, reinstall the OS from CD, and reinstall everything from known uncorrupted sources. I also install Norton Anti-Virus and SpyBot Search and Destroy. Why such extreme measures? Sigourney “Ripley” Weaver says it best in Aliens:

“I say we take off and nuke the entire site from orbit. That’s the only way to be sure.”

Amen to that. But sometimes having a big enough gun will hold the bugs at bay long enough to finish that rush job on time.

I also usually keep a copy of my “pristine working setup” on a DVD-R so I can restore my system partition with all apps in about 12 minutes. I keep my data partition separate, so this doesn’t erase my data or email, but reinstalling those tiny utilities, fonts, etc, is still time consuming.

More when I get a chance to play with the detector.