Results 1 to 3 of 3

Thread: Finding rootkits: 2 plugins for Total Commander users

  1. #1
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,385

    Default Finding rootkits: 2 plugins for Total Commander users

    What do I need this for?

    Well, you probably don't. Anyway... as you might have noticed from the title, this is for NT based Windows operating systems, which currently include Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 and Windows Vista. XP and Vista in both 32 and 64 bit flavours.

    Windows NT systems have been created to support multiple hardware platforms, and even applications for other software platforms, at least in early versions. This means that at the very bottom of Windows NT, there's the native Windows NT system, and above that, there's a layer for windows 32 applications as known from Windows 95 upwards.

    The main usage of this plugins are probably hunting down rootkits. Rootkits try to hide from your system. And usually, they do this on the Windows 32 layer mentioned above, since every Windows software uses that. Hide a file in that layer, and Explorer and most other applications won't show it any more. The Windows 32 layer internally uses the Windows Native functions though. These plugins allow you to browse the file system, and your registry, using Windows Native functions, allowing you to see files that rootkits may have hidden in the Windows 32 layer.

    Still don't understand? Rootkits hide their files, and standard rootkits usually hide it only on the surface, while these plugins allow you to take a look behind the surface.

    If you're not hunting rootkits, this is very probably useless to you, sorry!
    And since these are not stand-alone products, you can only use them if you use Total Commander.

    Installation instructions
    1. Locate your Total Commander directory, e.g.
      C:\Apps\TotalCmd\
    2. Find your file system plugin folder, which then would be
      C:\Apps\TotalCmd\Plugins\wfx\
    3. Create a folder to keep our files in, e.g.
      C:\Apps\TotalCmd\Plugins\wfx\snlTCNTplugins\
    4. Copy NTFiles.wfx and NTRegistry.wfx into that folder
    5. Start Total Commander
    6. Main menu: Configuration -> Options
    7. Left overview: Operation -> Plugins -> File system plugins
    8. Press Add button, navigate to NTFiles.wfx, press OK.
    9. Press Add button, navigate to NTRegistry.wfx, press OK.
    10. Close the file system plugins window by pressing OK
    11. Close the configuration windows by pressing OK
    To difficult to follow? We might create an installer to automate this, but then, these tools are designed to help tracking down rootkits, and if you're able to do this, you're also able to follow those instructions

    Usage instructions
    • Browse to your network neighbour inside Total Commander
    • Browse into NTFiles to start browing your file system
    • Browse into NTRegistry to start browsing your registry
    Download

    Since the servers should handle the 1.5.2 release currently, I didn't want to burden them with these files So here is a rapidshare link. Just click the Free download button, ignore the payment options offered on the next page and wait until the ca. one minute countdown is down, type in the captcha and download. As soon as the servers have sorted out the heavy Spybot-S&D 1.5.2 traffic, I'll probably put it where it belongs Wanted to provide it as a goodie for the community now though, since this was kind of a playground for testing some things that'll reappear in a different application...
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    1

    Default ReUp Plugins Please

    Quote Originally Posted by PepiMK View Post
    What do I need this for?

    Please REUp the Plugins. I get an error trying to open NTFiles.wfx and NTRegistry.wfx files from the zip. I am trying to get rid of Command Service Malware that hijacks me to ads. Thanks for your help. Happy New Year!






    Well, you probably don't. Anyway... as you might have noticed from the title, this is for NT based Windows operating systems, which currently include Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 and Windows Vista. XP and Vista in both 32 and 64 bit flavours.

    Windows NT systems have been created to support multiple hardware platforms, and even applications for other software platforms, at least in early versions. This means that at the very bottom of Windows NT, there's the native Windows NT system, and above that, there's a layer for windows 32 applications as known from Windows 95 upwards.

    The main usage of this plugins are probably hunting down rootkits. Rootkits try to hide from your system. And usually, they do this on the Windows 32 layer mentioned above, since every Windows software uses that. Hide a file in that layer, and Explorer and most other applications won't show it any more. The Windows 32 layer internally uses the Windows Native functions though. These plugins allow you to browse the file system, and your registry, using Windows Native functions, allowing you to see files that rootkits may have hidden in the Windows 32 layer.

    Still don't understand? Rootkits hide their files, and standard rootkits usually hide it only on the surface, while these plugins allow you to take a look behind the surface.

    If you're not hunting rootkits, this is very probably useless to you, sorry!
    And since these are not stand-alone products, you can only use them if you use Total Commander.

    Installation instructions
    1. Locate your Total Commander directory, e.g.
      C:\Apps\TotalCmd\
    2. Find your file system plugin folder, which then would be
      C:\Apps\TotalCmd\Plugins\wfx\
    3. Create a folder to keep our files in, e.g.
      C:\Apps\TotalCmd\Plugins\wfx\snlTCNTplugins\
    4. Copy NTFiles.wfx and NTRegistry.wfx into that folder
    5. Start Total Commander
    6. Main menu: Configuration -> Options
    7. Left overview: Operation -> Plugins -> File system plugins
    8. Press Add button, navigate to NTFiles.wfx, press OK.
    9. Press Add button, navigate to NTRegistry.wfx, press OK.
    10. Close the file system plugins window by pressing OK
    11. Close the configuration windows by pressing OK
    To difficult to follow? We might create an installer to automate this, but then, these tools are designed to help tracking down rootkits, and if you're able to do this, you're also able to follow those instructions

    Usage instructions
    • Browse to your network neighbour inside Total Commander
    • Browse into NTFiles to start browing your file system
    • Browse into NTRegistry to start browsing your registry
    Download

    Since the servers should handle the 1.5.2 release currently, I didn't want to burden them with these files So here is a rapidshare link. Just click the Free download button, ignore the payment options offered on the next page and wait until the ca. one minute countdown is down, type in the captcha and download. As soon as the servers have sorted out the heavy Spybot-S&D 1.5.2 traffic, I'll probably put it where it belongs Wanted to provide it as a goodie for the community now though, since this was kind of a playground for testing some things that'll reappear in a different application...
    Please ReUp the Plugins. I get an error trying to open NTFiles.wfx and NTRegistry.wfx files from the zip. I am trying to get rid of Command Service Malware that hijacks me to ads. Thanks for your help. Happy New Year!
    Last edited by ianidragonfly; 2010-01-02 at 22:56. Reason: I made an error

  3. #3
    Junior Member
    Join Date
    Mar 2014
    Posts
    1

    Post Plugins for Total Commander

    Quote Originally Posted by ianidragonfly View Post
    Please ReUp the Plugins. I get an error trying to open NTFiles.wfx and NTRegistry.wfx files from the zip. I am trying to get rid of Command Service Malware that hijacks me to ads. Thanks for your help. Happy New Year!
    While I was successful in following your instructions on how to acquire these 2 specific plugins (NTFiles.wx and NTRegisrtry.wfx) for TC, there is NO description on how to use them! I have never used plugins for TC before. I am currently trying to track down what is causing a computer to reset its browser home pages to 'MySearchDial' all the time, even after removing all references to this in the Registry. Furthermore, when I do remove them from the Registry and try to reset the home page for IE (this virus impacts all browsers), the values come back into the Registry, so the Registry does not appear to be the real cause of this virus. Your online help implied that there may be a tootkit file doing this, so I am trying to implement your suggestion for using TC to see and find these files, but once I installed these plugins (into the TC folder called "Plugins\wfx\snlTCNTplugins") I have no idea how to proceed.

    Vincent (03-08-2014)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •