The first problem to address after detecting a possible rootkit is to verify your findings. Your options are to trust the tool that found the rootkit, trust your own knowledge of Windows system internals, or investigate further. Of the three, most users will choose to investigate further, but how can the presence of a rootkit be verified?
Don’t expect rootkit detectors to provide extensive detail about the cause of an anomaly. If the anomaly is a kernel or user mode hook, the detector may not be able to find the process that placed the hook. If the anomaly is a hidden file, directory, or process, then there are steps to determine the underlying cause, but these steps will usually lead to security software, such as anti-virus or host-based intrusion prevention systems.
Most rootkit detection mechanisms cannot localize the processes responsible for a detected anomaly; and without a program name, service name, or device driver name, further investigation can be difficult. If a complete investigation cannot discern the reason for a detected anomaly, the final response should be to reinstall the operating system. Fortunately, InstallShield has made this much easier than it used to be. The good folks at Macrovision have made installing and uninstalling software so standardized that most off-the-shelf Windows software can be uninstalled and reinstalled in minutes. Because there are no kernel hooks, hidden registry entries, or hidden directories in a freshly installed Windows operating system, uninstalling software should eventually lead to a condition in which the anomaly is no longer present. If not, and you’ve removed all the major programs installed on the machine, the probability of a rootkit just happens to coincide with a state in which reinstalling the operating system is as unintrusive as possible.
Other options are available before uninstalling existing software or reinstalling the operating system. The first is to refresh your kernel system call table and then check for unrecognized directories, registry keys, services, and processes. Unfortunately, this requires some familiarization with your operating system; but when the alternative is complete reinstallation, spending a little time getting to know your operating system can be time well spent.
The program I recommend to refresh the kernel system call table is Rootkit Unhooker, shown in Figure 13-11, and available from UG North and HSL. This software can be used to detect kernel hooks and refresh individual functions within the system call table. It can also be used to find hidden processes, hidden device drivers, hidden files, and code hooks. Unlike Rootkit Hook Analyzer and IceSword, Rootkit Unhooker provides a clear indication of the kernel module responsible for the hook, making rootkit removal much easier.
Comparing the services list (Control Panel Administrative Tools Services) before and after refreshing the kernel system call table can uncover a hidden service, which can lead to a registry key, which can lead to a file. The registry key can be found by searching the registry (usually HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services) for the service name shown on the Services’ General Properties tab. The file can be found using the ImagePath value of the located registry key. Once the file and the registry key have been deleted, a reboot should clear the detected anomaly.
Comparing the process list (Task Manager Processes tab) before and after refreshing the kernel system call table can provide an image name that can also lead to a registry entry and a file location.
Comparing exported sections of the registry before and after refreshing the kernel system call table can uncover a hidden registry entry that can also lead to a file location. To export a section of the registry, select Start Run and enter regedt32. From the registry editor, select a key that might contain hidden keys (usually HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) and then select File Export. The files exported before and after refreshing the kernel system call table can be compared with WinDiff or any file comparison utility. Differences in these exported files can uncover hidden keys, which can lead to rootkit files.
Comparing sections of the file system before and after refreshing the kernel system call table can provide a direct file location. To compare directory listings, use a Command Prompt window (Start Run, and then enter cmd) and redirect the output of directory listings to files (“dir > comparisonFile.txt”). Then use WinDiff or a similar file comparison utility to check for differences.
When performing these operations, be aware that many anomalies are actually injected by the security software protecting your computer. Deleting these hooks, registry entries, and files can leave your computer open to rootkits - exactly the opposite of your intention.