Also, RootkitRevealer from sysinternals (now Microsoft).
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Jason Kramer
University Archives and Records Management
002 Pearson Hall
(302) 831 - 3127 (voice)
(302) 831 - 6903 (fax)
Jason Kramer wrote:
Karen,
Yes you should. Also, rootkits load before any AV and anti-spyware
programs you have, so they can cloak themselves from scanning programs
by redirecting file and memory I/O commands. They is why you need to
scan the drive while it is offline (either by booting to some other
drive or a CD like BartPE, or by putting the drive in another system).
Make sure the system you use to scan your external drive is clean,
fully patched, and up to date with DATs and engine files for whatever
AV and anti-spyware program you are using, otherwise you run the risk
of infecting it too.
Jason
Jason Kramer
University Archives and Records Management
002 Pearson Hall
(302) 831 - 3127 (voice)
(302) 831 - 6903 (fax)
[email protected] wrote:
Oh, I have some rootkit scanners, and I
didn't think of running those. I'll run that today. Haven't used USB
drives since but that's a good precaution. I did of course back up the
data to my external hard drive. So I guess I should scan the external
drive?
Karen
I
agree. You probably had a rootkit. If at all possible, I would
recommend you pull the drive, stick it in another system (that has
fully up to date AV and all OS patches), and scan it. Once a system is
infected, it can be very hard to clean from itself. By putting the
drive in another system, you don't give the virus/trojan/rootkit a
chance to hook into the OS and redirect file I/O to its own ends.
Also, if you used any USB drives or other writable removable
storage on the system while it was infected, you should scan them on a
known clean system. Same for any backups you made while the system was
infected.
|
