Page 1 of 1

verying Windows binaries after corruption/rootkit/bitrot

Posted: Fri Sep 27, 2013 8:24 pm
by garegin
I don't know if this is the right board, but here we go.

How can I verify that the stock Windows system files have not been corrupted. I know that certain rootkits can alter them and stay undetected (not alter the checksum). I believe modern Windows' have system file protection and W8 has secureboot, but is there a straightforward way I can verify the binaries, or use third party tools that can.
If all the system files are binary identical across different deployments then an altered binary can be detected, right?
I am saying all this because some POS rootkit it randomly calling shutdown.exe to restart my machine and then change the partition type to hidden(0x17). fixmbr, fixboot, and offline scanning have been tried already

Re: verying Windows binaries after corruption/rootkit/bitrot

Posted: Sat Sep 28, 2013 3:45 am
by dozniak
First of all, this is the wrong forum.

Second, format c: and installing a Linux distro from a freshly downloaded DVD will solve the problem once and for good.