HIJACK ADS scan – quickest indication of a rootkit

Topic

New Reply

Would scanning a PC using Hijack-this (ads scan – on the tools menu).. assuming it found some alternative data streams (not including MS FAX!)…. be the quickest way of having an ‘indication’ of a rootkit?

Cheers
TAJ

Reply | Quote

Replies

I would use Mark Russinovich’s (oops, Microsoft’s!) tool “Rootkit Revealer“. Or there is a rootkit finder/remover by Sophos, the antivirus firm. And no doubt many others by the other AV manufacturers.

I’m rather puzzled why you think that Merijn’s HijackThis, which checks browser hijacking, registry entries, startup links, etc, would have anything to say about rootkits, which came after HijackThis was written…

John

Reply | Quote

John,

Thanks for that. The reason I ask is that I was fixing a friends PC that had a rootkit on it. After the rootkit was stopped / disabled from starting.

A scan with hijack-this’ ADS scan (config > misc tools > Open ADS spy) revealed the same file where the rootkit was hidden. I forget the exact details.
but it found something along the lines of this.
windowssystem32nameoffile : (colon) name of hidden file within

What I’d wish I’d have done was the hijack this ADS scan before the rootkit was disabled from starting.

Cheers
TAJ

Reply | Quote

I’m not sure that HijackThis would have even seen that file if the rootkit was still running. If my understanding of rootkits is correct, they hide themselves from detection by that sort of program almost completely.

I have never delt with a rootkit personally (and hope I never have to). I’m basing my comment on what I’ve read about them.

Reply | Quote