IBM Thinkpad R40, Wipe and Reformat, Possible Rootkit

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I think I may have a Rootkit on my IBM Thinkpad R40 2681-C8U. I know
about the Recovery CD. Is there any way with this model to safely wipe
the hard drive, reformat and use the Recovery CD or do I need to use
the original XP CD from way back when it came out - first release - and
then slowly get all those updates?

I mean, will the Recovery CD be enough to rid the Rootkit or, if I need
to do something more drastic, how is it safely done with this system,
assuming a hidden partition with all the recovery info (which this
laptop also has)?


Re: IBM Thinkpad R40, Wipe and Reformat, Possible Rootkit wrote:
Quoted text here. Click to load it

Go to the SysInternal site for  the basics of rootkits.

[quote the site]
What is a Rootkit?

The term rootkit is used to describe the mechanisms and techniques
whereby malware, including viruses, spyware, and trojans, attempt to
hide their presence from spyware blockers, antivirus, and system
management utilities. There are several rootkit classifications
depending on whether the malware survives reboot and whether it executes
in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each
time the system boots. Because such malware contain code that must be
executed automatically each system start or when a user logs in, they
must store code in a persistent store, such as the Registry or file
system, and configure a method by which the code executes without user

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and
therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For
example, a user-mode rootkit might intercept all calls to the Windows
FindFirstFile/FindNextFile APIs, which are used by file system
exploration utilities, including Explorer and the command prompt, to
enumerate the contents of file system directories. When an application
performs a directory listing that would otherwise return results that
contain entries identifying the files associated with the rootkit, the
rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients
and kernel-mode services and more sophisticated user-mode rootkits
intercept file system, Registry, and process enumeration functions of
the Native API. This prevents their detection by scanners that compare
the results of a Windows API enumeration with that returned by a native
API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they
intercept the native API in kernel-mode, but they can also directly
manipulate kernel-mode data structures. A common technique for hiding
the presence of a malware process is to remove the process from the
kernel's list of active processes. Since process management APIs rely on
the contents of the list, the malware process will not display in
process management tools like Task Manager or Process Explorer.

[end quote]


Site Timeline