Apparently, I have a rootkit installed, part of System Mechanic Software.
Even though I have uninstalled SM, I am told that the rootkit is still
there. How do I identify it and how do I get rid of it?
Firstly: On what basis do you conclude that:
- you have a rootkit?
- it is related to System Mechanic Software?
Is this your issue:
http://www.wrensoft.com/forum/showthread.php?t=1451
?
If the malware is commercial malware (e.g. DRM) built into a
"legitimate" product, then few if any scanners will detect it. The
law is on the side of thge malware authors here; by consenting to
their EUL"A", they can weasel in whatever junk they want to, and some
laws may make it illegal to share know-how on cleaning it up.
If the malware is traditional or commercial malware that is outside
the package, but stealthed in via a poor distribution "cold chain" or
the use of piracy-enabling "cracks", then scanners may detect it, if
it is common ITW (In The Wild).
Finally, if the malware is external to the app, but is not common ITW,
then the app vendor's sites or forums can't help you, and general
malware scanners may miss it as well. This is always a risk when
downloading cracks, cracked commercial apps, etc.
Rootkits alter runtime behavior of the infected OS to hide themselves
and/or other files and defend these against removal.
So the first step is to scan from an OS that runs no code from the
infected code base - what I refer to as "formal" scanning.
In DOS and Win9x, you can use DOS mode boot diskette as the
maintenance OS (mOS) and from there, use scanners written for DOS,
such as available from F-Prot, Sophos, NOD32 etc.
You can do the same in XP if you aren't using NTFS, but a far better
approach is to use Bart PE builder to build a Bart CDR as mOS, and
then use plugged-in or "loose" scanners from there. You can use CLI
scanners from McAfee, F-Prot, Sophos, Kaspersky, AVG etc. in this
way, as well as some Windows GUI scanners such as Stinger, Trend
SysClean etc. You can also use registry-orientated tools via the
RunScanner plugin, that allows such tools to operate as if the
inactive HD installation registry were in effect.
Vista has no equivalent to run Scanner, though you can use Bart for
Vista, or use a Vista-native WinPE or installation DVD boot as your
mOS. Vista64 is particularly difficult as the mOS boot mode will not
run 32-bit apps, and 64-bit av tools are not plentiful in early 2007.
The other way to look for rootkits, is to detect their behavior while
they are active. This seems a more dangerous approach, given an
active rootkit is well-positioned to defend itself or take punitive
action against attempts to remove it, but you may at least be able to
detect rootkit behavior and maybe point to a file or two, even if it
isn't prudent to attempt removal from the infected OS.
Several rootkit behavior detectors are available:
- Rootkit Revealer from System Internals
- Blacklight Beta from F-Prot / F-Secure
- other "beta" rootkit tools from AVG, Trend, Sophos, etc.
These tools have to be run from the infected OS in as "dirty" a state
as possible, so they aren't useful from Bart CDR boot, etc. However,
once you detect the relevant files, you could manage these with less
(or at least, different) fear of retaliation from Bart boot etc..
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
