dear gurus

i need your guideline and any experience with rootkits behaviors.

as we notice some people complain blue screen windows xp screen so we used many linux diagnostic cd live cd to find if any failure of hardware

later we discover that there is rootkit attack over network, however we have avg internet network most updated. having root kit and we are victims now.

i am finding various tools but no one detect the root kit even single pc.

can someone advise on linux pcs, or windows how can we detect diagnose and removae safely.

kind regards
salim

Hi Salim,

Rootkits are known for getting very deep into an OS and becoming very tricky to remove, there are various Utilities under development for it but as far as I know none yet can remove all the damage that some of the rootkits out there are able to perform. I would advise trying root kit hunter (RKhunter) to try and detect the root kits, but the best known solution to remove rootkits is a full re-installation. I would examine your security policy for your OSs and think about tightening them up for the future.

Oh and if you do have to back-up data, ensure that there are no malicious scripts embedded into any of them, I have seen people try to restore back-ups on a just reinstalled machine to end out re-rootkitting the entire system.

I'm assuming that all of the hardware (memory, hard disks, etc...) checked out and is okay. A while back I had used RootkitRevealer from Sysinternals to check for rootkits. It's a Windows program. A popular program for linux is chrootkit, but AFAIK, it only checks for linux rootkits, not windows ones. Somebody can correct me if I'm mistaken.

I wouldn't rule out a coincidence either. Even though you have had a rootkit attack, the bluescreens could still be unrelated. Is it affecting the majority of your systems or just a few?

I know you're looking for a way to use linux to find the solution, but what I usually do when I'm encountering blue screens is this:

In XP system properties, tell it not to automatically reboot when a bluescreen happens. This will give you a chance to actually read the error on the screen. Then you can search for possible causes for the error.

Tell XP to do a complete memory dump when it bluescreens. The dump file will be saved in the C:\Windows directory and will be called MEMORY.DMP. You can use a tool like WinDbg for Windows to analyze the dmp file and hopefully find what the culprit is. Even if you don't completely understand the output, I'm pretty sure there are some forums out there where you can post the WinDbg output and have others help you analyze it.

dear gurus

thanks for your prompt response

it is happending everyday 1 pc increae we have aprox 50+ users, every day 1 restart abnormal or crash pc or blue screen. i feel so if hardware failure, it can be so fast every day 1 pc failed like ram,hdd,motherboard,cpu etc. even though i try systemrescue cd, hiren cd and other diagnostic tools, on hardware level i cant find it.

for microsoft i am using RootkitRevealer.exe but it just detect 0kb registry every pc, basically it shows the registry keys which every windows xp has.

i am running various tools for rootkit, but i cant find single rootkit there.

ms has given below link to solve various ways
http://support.microsoft.com/kb/894278

however microsft says if this message comes it is
+++++++++++++++++++++++++++++++++++++++++++++++++
BELOW IS THE MESSAGE COMES WHEN PC BECOME BLUE on client unfortunately no linux to test try this thing, advise
BCCode : 00000050 BCP1 : 0xeb7ff002 BCP2 : 0x00000000 BCP3 : 0x8054af32 BCP4 : 0x00000001 OSVer : 5_1_2600 SP : 0_0 Product : 256_1
++++++++++++++++++++++++++++++++++++++++++++++

i have 2 main linux servers 1 is oracle and other is axigen email server.

rest all servers r windows 2003,

this is for ur info

regards
salim

I've only had a chance this morning to briefly skim over that ms support link. I did notice they provided a list of tools known to detect the malware at the bottom of the article. I'm guessing you've already tried some of those that are listed and not had any luck. You may want to try getting a second opinion antivirus. Something like Avast that you can install and perform a scan. Trend Micro should still have their online Housecall scan (although I haven't used it in years, so I can't really vouch for it anymore). You could even try mounting the windows disk under linux and scanning it with clamav. Good luck in finding the malware.

On a related note, you may want to consider coming up with some procedures for how to deal with outbreaks like this in the future. The time it will take to identify and remove the culprit from that many production workstations may be longer than some other mitigation techniques. If you haven't already, I'd look at setting up something like a Clonezilla server. That way, you can create a clean image for your workstations and re-image them when needed over your network. Your users do store their important documents on a network share that gets backed up regularly and not on their local disks, right

Anyway, that's just some ideas for you.

Moved: This thread is more suitable in <GENERAL> as it deals with windows issues, and has been moved accordingly to help your thread/question get the exposure it deserves.