DonationCoder.com Software > Post New Requests Here

IDEA: File lister

(1/2) > >>

BinderDundat:
I know that this is fairly trivial - boring even - but let me explain the purpose.  With a list of files on the hard drive, you can discover RootKits.  First, run the lister under your normal boot O/S.  Then boot to a C/D or key drive and run it again.  RootKits stealth their files so that they are not seen by normal scans by AV programs, but that means that they do not show up on a normal file list.  But, if the same list is created using an O/S that is not infected from a CD or key drive, the files will be on that list.  Ideally, the list would be in the form Drive:\Directory\\FileName.Ext and the list would be saved as a text file.  In a perfect world, the utility would have the ability to compare the lists and generate a difference list.  I seem to have picked up a fairly mean rootkit somewhere - it has crashed IceSword and prevented the new Comodo Firewall from completely installing.  I have also had trouble running Sysinternals' Autoruns, so I will have to do this in a fairly elementary fashion.

app103:
If you are looking to find & remove a rootkit, there are at least 3 free tools to find & remove them:


* Sophos Anti-Rootkit

* AVG Anti-Rootkit Free

* McAfee Rootkit Detective
Read all instructions & documentation very carefully before use.

PhilB66:
A list of Rootkit Detection & Removal Software.

jgpaiva:
I see what you mean, and you are right about its use.

It's easy!:

--- ---dir /s > out.txt

That'll save a listing of every file/folder under the current and sub-folders to the file named "out.txt".

Then, run a diff of those ;)

BinderDundat:
Thanks for all the suggestions.  I had the idea that there was a problem due to three things:  a new piece of software reported .dll's that were supposedly in the C:\documents and settings\Admin\Local Settings\Temp folder that I did not find when I looked using Explorer - so I thought it might be stealthed .dll's.  I ran Ice Sword and did a log and reboot but that program failed to start up after that due to an initialization error, so I was starting to worry.  I found nothing with Process Explorer, but a well-stealthed root kit might not show with that.  I then ran Rootkit Revealer and found two keys with embedded nulls and a key that Revealer could not access.  I booted with a PE disk and looked at the \Temp folder again and saw a .dll file, but with a different name than the ones reported before.  I  tried using the Regdelnull (Sysinternals) file on the registry and used the remote registry editor to look at the result.  Well, the inaccessible key turned out to be a SCSI driver key, with an owner name that was a long string of numbers.  I could not delete the key, but I was able to edit the key's values and I renamed the .sys file that it pointed to (no SCSI connections on my system, so I was not worried).  The owner string probably refers to a system ID for SCSI devices, but I didn't need to take the chance that it was dangerous, so I nuked it.  Turns out the file was harmless according to Virustotal's scan.  The keys with embedded nulls are apparently legitimate??!!!  If you see a Rootkit Revealer report that shows:
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAC
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAI
as keys with embedded nulls, they are probably not a problem (although a rootkit that used those keys would be a real problem, because Regdelnulls doesn't touch it).  After a few more checks, I think that it was a false alarm, But I was beginning to think that I had an unknown rootkit, especially when I had crash problems with Sysinternals' Autoruns when I referred listed items to Process Explorer.  Anyway, thanks again, especially for your suggestion jgpaiva.

Navigation

[0] Message Index

[#] Next page