Again, I'm asked to do the impossible

[unfaithfulsfan]

Apparently the two computers I have on the bench are "infected" with RootKits. I'm not that familiar with this at all. In fact, I'd never even heard of such a thing until yesterday.

Everything I've read about them from MS on down says that Reformat and Reload is the only way to get them off the PC. But my boss, of course, says "that's not true so figure it out"

Anybody got any ideas? Both PCs are Dells with Maxtor hard drives. (Dimension E521 and B110, respectively) They both boot to BSOD in either regular or safe mode. The errors are similar (0x0000007E on one and 0x0000007B on the other) 7E points to bad drivers, most likely video. 7B is "inaccessible boot device." Both have passed extensive hardware diagnostics. I've pulled the drives and run multiple virus scans to rule out any other spyware or malware.

I've checked the system32/drivers folder to make sure there's nothing squirrelly in there as well as System32 for any rogue files

How do I get to the root of the OS? Boss-man says it can be done.

I'm open to suggestions!

Thanks!
Jack

[kappage]

This might sound stupid, have you tried the repair option on the windows install disc?

[Sporg]

Just sent you a PM.

[unfaithfulsfan]

Not yet, according to the wise and wonderful boss, that doesn't work. I was just thinking I'll image one of the drives and try a few things to see if they work.

Thanks for the quick response!
Jjack

[Sporg]

I sent you a PM, then reread that you can't actually get into windows. You might look for a bootable option first.

Something like hiren's bootcd has rootkit detection. I have a dumb question, how do you know they have rootkits?

[edit - had the link to his site, didn't realize it was considered warez these days - been forever since I last used it]

[Darkstar]

you can try Sophos and / or Microsofts (sysinternals) rootkit removal software, but a wipe and reinstall is the best option .

http://www.sophos.com/products/free-too ... otkit.html

http://technet.microsoft.com/en-us/sysi ... 97445.aspx
Edit> just saw the BSOD remark, the above only applies if you can get a boot of course.

dont know what to tell you, your boss doesnt sound very nice.

[unfaithfulsfan]

I have a dumb question, how do you know they have rootkits?

Personally I don't, my boss who has been doing this for over 15 years made the declaration yesterday that after trying everything else that hasn't worked the options are narrowing down to RootKits.

I pulled both drives and ran multiple virus scans that yielded nothing at all other than 40-odd tracking cookies on one. The hard drives are mechanically sound and there's nothing in either one indicating any monkey business as far as unusual files or programs installed.

I have no experience with them at all so I have to, for the moment at least, take Tadziu's word for it and go from there.

Thanks again for the info!! Thanks also, Darkstar

This might sound stupid, have you tried the repair option on the windows install disc?

I imaged the disc and tried a repair install. It gets to the "installing Windows" @ 39 minutes then prompts me for a file "asms" on the Win XP Pro SP 2 CD and locks up the computer. Keyboard and mouse don't respond.

I find that strange anyway because I'm installing Dell's version of XP MCE (I think 2005) with SP2.

I'll try these tools and see what happens. Darkstar, do you know offhand whether you can specify a particular drive with these. If so, I could select the drive or load the registry hive and work from there while connected to the shop PC

Jack

[Darkstar]

Sorry, i havent had to use either, i just have them in my toolkit JIC. Maybe someone can tell you if they can be loaded onto a bootable cdrom to run a scan (Barts PE app?)

[Sporg]

I know Hirens has it as part of the package, but you might not want to grab that from work. Like Darkstar said BartsPE might have that (or you could create your own PE and add it). You might also check out Knoppix, not sure if it has a rootkit detector.

[unfaithfulsfan]

I said WTF and tried running it while the drive was connected to my computer. It registered as "E:" I guess it worked because I saw "E:\Windows\System32..." etc in the status bar but all in all it didn't find anything. So maybe I'm going down the wrong path.

I also tried rebuilding the registry which didn't work. The only other thing I can do is to try to manually restore the system through system restore but I've only done that once and I swear I can't remember how I did it. Anybody got any tips for me on that one?

Thanks,
Jack

[Darkstar]

how about slaving the drives to get whatever info you need and doing a wipe and clean install on them?

[unfaithfulsfan]

how about slaving the drives to get whatever info you need and doing a wipe and clean install on them?

That was my opinion, too but that option has been removed.

On a brighter note, I rebuilt the registry on the second one and it booted up so I'm running virus scans on it as I write this.

The other one my boss got involved in it now we have multiple copies of system32/config and I've lost track of which one is which. But we were at least able to get it to boot,, almost. We were here til almost 9 last night working on it. With one set we got an lsass.exe error (essentially, it was an error about passwords, I've got the error saved) So we tried another SYSTEM hive and it gave us a corrupt win32/config/system error on boot.

So, now I'm going to try copying the SYSTEM hive from the clean install I did on another drive and see what happens there.

I just want to make it through the day so I can go watch the Buffalo/Detroit game at the Ralph tonight!!!--courtesy of The Boss. He has season tickets but doesn't want to go to a pre-season game. Obviously, I'm not that proud! It's sold out, which is cool. That needs to happen a lot more often. I'm not a big football fan but living here is turning me into one!

Jack