Any good forums to ask about root kits.
Any good forums to ask about root kits.
This is not an MC question but being aware of the answer to this would certainly help MC users.
Is there a forum where one can ask questions about a root kit (or other high level computer problems). I have a root kit on one of my computers. I have disconnected it from the home network and will reformat. However I did a google search and I read that these can actually get into the bios (reformat will not help). The other thing is that same computer just had a reformat in the early spring and I do not really go out onto the web to unknown sites with it that often. I was thinking I would isolate it (from the internet only) after the format to see if it comes back and thus assume it came from the bios. So my question to an advanced forum would be (how to keep my computer on the home network but stop it from using the internet - in other words more than block it out with a firewall). Or maybe there is a way to know if it came from the bios.
I have this site. I have not checked to see if it has a forum.
http://www.theeldergeek.com
I have these web sites too.
This one can tell you which processes are bad on your machine.
www.processlibrary.com
This one can tell you which processes are bad on your machine.
www.softwarepatch.com/tips
Virus ideas
www.onecomputerguy.com
Thanks,
John
Is there a forum where one can ask questions about a root kit (or other high level computer problems). I have a root kit on one of my computers. I have disconnected it from the home network and will reformat. However I did a google search and I read that these can actually get into the bios (reformat will not help). The other thing is that same computer just had a reformat in the early spring and I do not really go out onto the web to unknown sites with it that often. I was thinking I would isolate it (from the internet only) after the format to see if it comes back and thus assume it came from the bios. So my question to an advanced forum would be (how to keep my computer on the home network but stop it from using the internet - in other words more than block it out with a firewall). Or maybe there is a way to know if it came from the bios.
I have this site. I have not checked to see if it has a forum.
http://www.theeldergeek.com
I have these web sites too.
This one can tell you which processes are bad on your machine.
www.processlibrary.com
This one can tell you which processes are bad on your machine.
www.softwarepatch.com/tips
Virus ideas
www.onecomputerguy.com
Thanks,
John
- JoshM
- Posts: 2195
- Joined: 20 May 2011
- Location: The Netherlands
- Has thanked: 1544 times
- Been thanked: 1565 times
- Contact:
Re: Any good forums to ask about root kits.
Perhaps you can also try Q&A sites like SuperUser and IT Security. I haven't used these, but I had good experiences with similar Q&A sites (stackoverflow.com).
Good luck with your problem,
Josh
Good luck with your problem,
Josh
Re: Any good forums to ask about root kits.
Thanks Josh,
Interestingly enough, the worst virus I ever had came from a notebook battery site. It locked out the, shutoff process, control pannel, ctrl+alt+delete would not work, AVG was disabled, etc. All because I wanted to research lithium ion battery optimizing.
You never know where they will be it seems. My machines running MC go to very few sites.
John
Interestingly enough, the worst virus I ever had came from a notebook battery site. It locked out the, shutoff process, control pannel, ctrl+alt+delete would not work, AVG was disabled, etc. All because I wanted to research lithium ion battery optimizing.
You never know where they will be it seems. My machines running MC go to very few sites.
John
Re: Any good forums to ask about root kits.
John,
1. Deny ALL OUTBOUND traffic AND enable OUTBOUND LAN traffic if using a software Firewall. (I'm puzzled why you want to allow the LAN traffic? - the virus can easily infect other PCs on your local network...)
2. Block access to WAN access for an infected PC if you are using a hardware router (if router has this feature).
Regarding a root kit: http://support.kaspersky.com/viruses/so ... =208283366
The virus will not get into and infect your BIOS, unless the virus coder and the system programmer of your bios is the same person. In other words you would have to work for the manufacturer of the motherboard and have very specific knowledge of your particular motherboard in order to write the virus capable to embed itself into the BIOS. So the short answer is no. The chances are slim to none.However I did a google search and I read that these can actually get into the bios (reformat will not help).
This can be achieved by EITHER of the following:So my question to an advanced forum would be (how to keep my computer on the home network but stop it from using the internet - in other words more than block it out with a firewall). Or maybe there is a way to know if it came from the bios.
1. Deny ALL OUTBOUND traffic AND enable OUTBOUND LAN traffic if using a software Firewall. (I'm puzzled why you want to allow the LAN traffic? - the virus can easily infect other PCs on your local network...)
2. Block access to WAN access for an infected PC if you are using a hardware router (if router has this feature).
Regarding a root kit: http://support.kaspersky.com/viruses/so ... =208283366
Re: Any good forums to ask about root kits.
Hi geizer,
Thanks for the response.
Regarding,
Interestingly enough, I have been on the web ever since it came to be, and I have only ever had a virus go across the network once. For some reason most seem to be a bit lazy in this regard and are content to cause problems on only one machine at a time (maybe I am just lucky, LOL). Maybe now that I have written this I will have a major attack and loose all 3 (time to get a USB backup). I take snapshots and put them in the safety deposit box for something like that. Now you have me thinking.
AVG found the root kit originally. Only 1 of the 3 machines had it. I just ran that root kit utility in your link. The normal run found nothing. I extended it with the option and it found Unsigned File PxHelp20 "suspicious object, medium risk". I decided to delete it since the machine is not critical. So I rebooted the machine and reran the scan again and it did not find it. I ran AVG and it said there is still 1 root kit. I updated AVG and ran it again. Now avg says there are 3 of them. That makes me suspect AVG since I was not in any websites other than the AVG download nor did I run any other software in between (it was all done very fast with only at most a minute between). Maybe they downloaded 2 extra root kits for me, LOL). So I think it is time to format and see what happens (this machine is easy, I just backup my icons file and re-install software). With the main machine In prep for a future main machine reformat I still plan on using Acronis (on my to-do list still). However I need a machine upgrade so maybe later.
Thanks for the response.
Regarding,
I started initially backing up across machines after a power supply wiped out a machine many years ago (toasted 7 components including 2 drives). I recovered from tape backup but I felt going across machines was faster. I still do this and I backup alternating too two outside machines (full and differential). One is a notebook and the other is a secondary machine that sometimes performs some sort of trading related function (it is old and can not run MC at all). I also take key files offsite often on the notebook (always transferring). I transfer through the other secondary machine so I have 3 copies.I'm puzzled why you want to allow the LAN traffic? - the virus can easily infect other PCs on your local network...)
Interestingly enough, I have been on the web ever since it came to be, and I have only ever had a virus go across the network once. For some reason most seem to be a bit lazy in this regard and are content to cause problems on only one machine at a time (maybe I am just lucky, LOL). Maybe now that I have written this I will have a major attack and loose all 3 (time to get a USB backup). I take snapshots and put them in the safety deposit box for something like that. Now you have me thinking.
AVG found the root kit originally. Only 1 of the 3 machines had it. I just ran that root kit utility in your link. The normal run found nothing. I extended it with the option and it found Unsigned File PxHelp20 "suspicious object, medium risk". I decided to delete it since the machine is not critical. So I rebooted the machine and reran the scan again and it did not find it. I ran AVG and it said there is still 1 root kit. I updated AVG and ran it again. Now avg says there are 3 of them. That makes me suspect AVG since I was not in any websites other than the AVG download nor did I run any other software in between (it was all done very fast with only at most a minute between). Maybe they downloaded 2 extra root kits for me, LOL). So I think it is time to format and see what happens (this machine is easy, I just backup my icons file and re-install software). With the main machine In prep for a future main machine reformat I still plan on using Acronis (on my to-do list still). However I need a machine upgrade so maybe later.
Regarding the above, I am using Windows Firewall. I block absolutely everything except "AVG", "Dimension 4" and "File and Printer sharing". I am assuming this basically does what you are suggesting. I was not sure what to do with "Online Shield". I am not sure what this is and Google searches did not help.Deny ALL OUTBOUND traffic AND enable OUTBOUND LAN traffic if using a software Firewall.
Re: Any good forums to ask about root kits.
I suspect it is AVG that is wrong. I just reformatted and it still gives 3 root kits when running with no other installs and no access to web sites except the avg update.
Re: Any good forums to ask about root kits.
Malwarebytes is my go to malware checker at the moment. Whilst not specifically designed for rootkits it detects a good number. Boot in safe mode to minimise anything hoodwinking it.
If your mother board has flashable ROM and you suspect it has been hijacked (theoretically possible but hugely, hugely unlikely) simply re flash it from a clean environment (DOS boot and loader should do).
As for infection itself I am a great believer in turning off flash in your browser, it is not a very secure environment. I am sure it is improving all the time but better safe than sorry. It is quite feasible to use it to distribute malware through rogue websites or more likely hacked legitimate sites. There have been many reports of high profile sites being hacked and probably many more that have not wanted the publicity.
If you want to run some specific flash it's dead easy to enable on a case by case basis.
I am a bit out of the loop as to where the real cutting edge stuff is discussed, there used to be a usenet newsgroup that was right at the forefront, the name escapes me at the moment.
If your mother board has flashable ROM and you suspect it has been hijacked (theoretically possible but hugely, hugely unlikely) simply re flash it from a clean environment (DOS boot and loader should do).
As for infection itself I am a great believer in turning off flash in your browser, it is not a very secure environment. I am sure it is improving all the time but better safe than sorry. It is quite feasible to use it to distribute malware through rogue websites or more likely hacked legitimate sites. There have been many reports of high profile sites being hacked and probably many more that have not wanted the publicity.
If you want to run some specific flash it's dead easy to enable on a case by case basis.
I am a bit out of the loop as to where the real cutting edge stuff is discussed, there used to be a usenet newsgroup that was right at the forefront, the name escapes me at the moment.
Re: Any good forums to ask about root kits.
Thanks Nick, I will have to research some of your info this weekend because some of it is a bit new to me.
This problem has got my curiosity bug. I did another format and immediate download and this time 2 root kits and 2 malware came with AVG. AVG also gets disabled and I can't even uninstall it so it is another format for the next test (gee, I sure am getting good at formatting with precision instructions, LOL). It occurred to me it may be the download site since the link I was using takes me to what appears to be AVG then the actual download is from Cnet(download.com). I never go to that site on this machine. I have to ask why the AVG site is directing me to download.com if they are virus experts. I have an older link for AVG and I have a feeling my clean copy came from that link and upgrades may have come from somewhere else (not download.com). If that older link gets a clean AVG that runs properly too then I will use it until it tells me to upgrade and click that button and see if that upgrade is clean (I will document the versions). Once I get the AVG curiosity bug out of my system I am going to try a different Anti-virus software (maybe I will try it as part of this investigation). A review site recommended it as the best (above MS) and it is free so why not.
I will post all the info since these types of things can be a bit distracting from trading to say the least. I am just glad it is on my secondary machine which I allocate to more risky web ventures outside my routine sites. I have a popup that bugs me every single day telling me not to go to any new sites with the production machine (only my routine sites). That popup started when I went to what I thought would be a safe site and I was wrong.
This problem has got my curiosity bug. I did another format and immediate download and this time 2 root kits and 2 malware came with AVG. AVG also gets disabled and I can't even uninstall it so it is another format for the next test (gee, I sure am getting good at formatting with precision instructions, LOL). It occurred to me it may be the download site since the link I was using takes me to what appears to be AVG then the actual download is from Cnet(download.com). I never go to that site on this machine. I have to ask why the AVG site is directing me to download.com if they are virus experts. I have an older link for AVG and I have a feeling my clean copy came from that link and upgrades may have come from somewhere else (not download.com). If that older link gets a clean AVG that runs properly too then I will use it until it tells me to upgrade and click that button and see if that upgrade is clean (I will document the versions). Once I get the AVG curiosity bug out of my system I am going to try a different Anti-virus software (maybe I will try it as part of this investigation). A review site recommended it as the best (above MS) and it is free so why not.
I will post all the info since these types of things can be a bit distracting from trading to say the least. I am just glad it is on my secondary machine which I allocate to more risky web ventures outside my routine sites. I have a popup that bugs me every single day telling me not to go to any new sites with the production machine (only my routine sites). That popup started when I went to what I thought would be a safe site and I was wrong.
- furytrader
- Posts: 354
- Joined: 30 Jul 2010
- Location: Chicago, IL
- Has thanked: 155 times
- Been thanked: 217 times
Re: Any good forums to ask about root kits.
A few months ago, I got infected with a rootkit virus even though I'm using Norton Internet Security. After several days of doing research and trying a host of different solutions, I bit the bullet and paid Norton $99 to do a manual search-and-remove. It took two different technicians to get the job done, but they were able to remove it completely from my computer. No reformatting required. It was definitely worth the $$$.
Re: Any good forums to ask about root kits.
Thanks furytrader,
That is interesting. I did not realize they would do that. I realize that to keep up on this stuff really does take a lot of knowledge and work including constant backing up in a very strategic way. However I guess I like to learn this stuff (bit by bit at least). I think it is worth it. Using Acronis for $50 can eliminate the need to format by bringing the whole drive back in short order (reduce the number of times you want to format). I should talk however. I still have not bought it. It is on my to-do list for use with the production machine where I may need a very fast recovery. The machine effected has nothing of value on it (it is turned off right now). It holds backups and I use it for visiting new web sites. The experience is good. Now I know how to control access to the machine using the windows fire wall (you can block other machines on the network or allow internal traffic and block the web). It is as easy as checking a box on or off. I can back up to that machine but not allow anything on that machine get to my production machine.
I hope to find out if a virus put a fake AVG upgrade link on my machine some time this week. If AVG is in actual fact using download.com I will stay away from AVG eventually. I have to try and find a specialized forum this weekend. Somewhere that people like the people who fixed your problem hang out. They probably already know what I am trying to figure out. If I find it I will post it here.
That is interesting. I did not realize they would do that. I realize that to keep up on this stuff really does take a lot of knowledge and work including constant backing up in a very strategic way. However I guess I like to learn this stuff (bit by bit at least). I think it is worth it. Using Acronis for $50 can eliminate the need to format by bringing the whole drive back in short order (reduce the number of times you want to format). I should talk however. I still have not bought it. It is on my to-do list for use with the production machine where I may need a very fast recovery. The machine effected has nothing of value on it (it is turned off right now). It holds backups and I use it for visiting new web sites. The experience is good. Now I know how to control access to the machine using the windows fire wall (you can block other machines on the network or allow internal traffic and block the web). It is as easy as checking a box on or off. I can back up to that machine but not allow anything on that machine get to my production machine.
I hope to find out if a virus put a fake AVG upgrade link on my machine some time this week. If AVG is in actual fact using download.com I will stay away from AVG eventually. I have to try and find a specialized forum this weekend. Somewhere that people like the people who fixed your problem hang out. They probably already know what I am trying to figure out. If I find it I will post it here.
Re: Any good forums to ask about root kits.
Cnet / download.com are generally trusted sites. They host downloads for lots of companies.
Am I right in thinking you got an alert after a format and a clean install if windows? That sounds like it may be a false positive to me? What else did you re-install so far? Thinking on my feet I am trying to think if something could hide on the bootsector/MBR through that format process. I don't think so (but would not swear to it). Are you using the windows CD to format your hard drive? Very odd.
Am I right in thinking you got an alert after a format and a clean install if windows? That sounds like it may be a false positive to me? What else did you re-install so far? Thinking on my feet I am trying to think if something could hide on the bootsector/MBR through that format process. I don't think so (but would not swear to it). Are you using the windows CD to format your hard drive? Very odd.
Re: Any good forums to ask about root kits.
P.S.
Obviously a back up and restore strategy is a useful weapon however I am always a bit wary to use it in the fight against malware. Fine to go back to a clean virgin image of your machine but I always worry that using a more recent restore might actually have the malware already backed up to it.
Obviously a back up and restore strategy is a useful weapon however I am always a bit wary to use it in the fight against malware. Fine to go back to a clean virgin image of your machine but I always worry that using a more recent restore might actually have the malware already backed up to it.
Re: Any good forums to ask about root kits.
Yes, it was a format directly from CD and I immediately installed AVG (nothing else on the machine and no other web sites accessed). So I run the scan and it finds the problems (changes every time too). The first time it went from 1 root kit to 3 root-kits. That alone is strange. If someone wants to put a root kit on why would they want to put 3 on (a bit of overkill I think). After the 2nd format it finds only 2. Okay if it was possible to put it on the Bios, why would it drop down too 2 the second time around.
Okay so before I run the scan I have to get in and make it a scheduled scan or else I do not get a root kit scan (there is another way but I did not know about it). So after the scan I can no longer go into the interface. I also can not even uninstall AVG.
Yes, a bit strange. This is supposedly the 2012 version. 2011 is fine. So I am going to try the old link for upgrades and maybe tonight and see what happens. I am not sure what it will grab and from where. I do not remember AVG ever being upgraded from download.com before. It is suppose to be cheaper or something?
About the Bios or MBR geizer agrees, "highly unlikely". In my mind you guys are correct just because it changed each time (from 1 to 3 to 2). Maybe AVG is just full of bugs now? Maybe the MS competition is too much for them?
Okay so before I run the scan I have to get in and make it a scheduled scan or else I do not get a root kit scan (there is another way but I did not know about it). So after the scan I can no longer go into the interface. I also can not even uninstall AVG.
Yes, a bit strange. This is supposedly the 2012 version. 2011 is fine. So I am going to try the old link for upgrades and maybe tonight and see what happens. I am not sure what it will grab and from where. I do not remember AVG ever being upgraded from download.com before. It is suppose to be cheaper or something?
About the Bios or MBR geizer agrees, "highly unlikely". In my mind you guys are correct just because it changed each time (from 1 to 3 to 2). Maybe AVG is just full of bugs now? Maybe the MS competition is too much for them?
- TJ
- Posts: 7752
- Joined: 29 Aug 2006
- Location: Global Citizen
- Has thanked: 1034 times
- Been thanked: 2228 times
Re: Any good forums to ask about root kits.
have you tried a new harddisk?
if your disk is over 3 years old, it doesn't hurt to do a preventive upgrade.
if your disk is over 3 years old, it doesn't hurt to do a preventive upgrade.
Re: Any good forums to ask about root kits.
I don't see a wink. Why would a hard disk help? All other programs ran fine before the format. Of course they are not running too well now since they are not installed yet.
Maybe a disk surface scan. However I don't think that would help. I will try the old upgrade link and see what happens. I will try that new software too. geizer's recommended software found a suspect file and fixed it. I have been using AVG a long time. It has handled all viruses except maybe 2 (format always fixed things and AVG was fine after a format). AVG (if it is AVG) is suspect now. Spybot use to be good. Now it gives problems so I won't install it. Maybe AVG is about to bite the dust too. We will see.
Maybe a disk surface scan. However I don't think that would help. I will try the old upgrade link and see what happens. I will try that new software too. geizer's recommended software found a suspect file and fixed it. I have been using AVG a long time. It has handled all viruses except maybe 2 (format always fixed things and AVG was fine after a format). AVG (if it is AVG) is suspect now. Spybot use to be good. Now it gives problems so I won't install it. Maybe AVG is about to bite the dust too. We will see.
Re: Any good forums to ask about root kits.
I completed tonight's work. I just reformatted again and went after these. The only program on the machine is Google Chrome.
Here is a good site for rating Free Anti-Virus software.
http://www.techsupportalert.com/best-fr ... ftware.htm
I decided to try the top Pick.
http://www.avast.com/en-au/free-antivirus-download
This also downloads from download.com just like AVG.
At that same site I found this for Best Free Root-Kits
http://www.techsupportalert.com/best-fr ... emover.htm
Their best pick was the same one geizer recommended.
http://support.kaspersky.com/downloads/ ... killer.zip
AVG did not get that great a rating so I am going to try the new one for a while. Besides having both on the machine creates a conflict. The new one does have scheduling.
So I ran geizer's software again (a top pick) and it found nothing wrong.
I am running the new Anti-virus. I suspect it will find nothing and there is a problem with the AVG 2012 version. the new anti-virus program also checks for root-kits.
Here is a good site for rating Free Anti-Virus software.
http://www.techsupportalert.com/best-fr ... ftware.htm
I decided to try the top Pick.
http://www.avast.com/en-au/free-antivirus-download
This also downloads from download.com just like AVG.
At that same site I found this for Best Free Root-Kits
http://www.techsupportalert.com/best-fr ... emover.htm
Their best pick was the same one geizer recommended.
http://support.kaspersky.com/downloads/ ... killer.zip
AVG did not get that great a rating so I am going to try the new one for a while. Besides having both on the machine creates a conflict. The new one does have scheduling.
So I ran geizer's software again (a top pick) and it found nothing wrong.
I am running the new Anti-virus. I suspect it will find nothing and there is a problem with the AVG 2012 version. the new anti-virus program also checks for root-kits.
Re: Any good forums to ask about root kits.
The whole compute scan with the top recommended Anti-Virus software at the link in the previous post ran fully clean on the newly formatted drive. So the AVG runs which found root kits and malware after the format were either AVG reporting incorrectly or the download itself. I can't prove it but I suspect it is the download itself because I suspect the original problem came from that site (I have downloaded a few things now and then from download.com). The other reason I suspect it was a download was because AVG was reporting the root kit for a while but did not give a popup to notify me for a long time (something was different obviously). So I guess you need to download from that site on a secure computer and run your scans immediately. At the same time the new software came from download.com with no problems so I am assuming most of those downloads will be okay.
Last edited by bowlesj3 on 18 Oct 2011, edited 1 time in total.
Re: Any good forums to ask about root kits.
It does rather sound like a false positive (even though that seems unlikely with no software installed). I guess you know that virus software looks for a 'signature'. Every now and then a legitimate piece of software will show a false positive. The virus scanner guys will usually fix this quite quickly by looking for a longer more unique signature.
I wonder if you have some strange driver that is showing a false positive? To be honest that seems unlikely but it would be one of the few things that would explain it. As an aside I have heard of a hardware manufacturer getting infected and distributing malware on a driver disc...once a long time ago...I'd give long odds it is not that
Certainly is a puzzle.
I wonder if you have some strange driver that is showing a false positive? To be honest that seems unlikely but it would be one of the few things that would explain it. As an aside I have heard of a hardware manufacturer getting infected and distributing malware on a driver disc...once a long time ago...I'd give long odds it is not that
Certainly is a puzzle.
Re: Any good forums to ask about root kits.
Hi Nick,
The machine is an old IBM machine (bought used about 6 or 7 years ago - great for testing new sites, etc). So I guess my saying "AVG might be reporting incorrectly" is the same as "a false positive" (I have not heard that term before). Maybe. Should AVG be notified is the question?
I need to figure out why it took me a while to notice the root-kit in the report. In the past I seemed to always get a popup. Maybe the run parameter's need a change as a result of a new version or somewhere along the line I stopped setting the parameter's properly. If not I need a checklist item to actually look at the reports.
John
The machine is an old IBM machine (bought used about 6 or 7 years ago - great for testing new sites, etc). So I guess my saying "AVG might be reporting incorrectly" is the same as "a false positive" (I have not heard that term before). Maybe. Should AVG be notified is the question?
I need to figure out why it took me a while to notice the root-kit in the report. In the past I seemed to always get a popup. Maybe the run parameter's need a change as a result of a new version or somewhere along the line I stopped setting the parameter's properly. If not I need a checklist item to actually look at the reports.
John
Re: Any good forums to ask about root kits.
Hi John, maybe there forum would be a good place to set out what has happened?
This is how Symantec define fals positive btw
A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus.
This is how Symantec define fals positive btw
A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus.
Re: Any good forums to ask about root kits.
Hi Nick.
Thanks for the definition. It is interesting and good to know a bit about how these programs work. I was reading a bit about root-kits in the AVG help. I tend to go out to google for gathering information. Lots of ways to pick up info these days.
I just created a to-do for this weekend to create a list of anti-virus related forums. I had not even thought to look to see if AVG has a forum but that is a good idea. I did notice last night that the site above where I found the two reviews (anti-virus software and root-kit software) has a forum. That may be an excellent site to get to know since the person who actually did the comparison of the different software is likely to be on that forum and he is likely to be really up on this topic along with a lot of other people. When I create the list of forums I will check the post counts and maybe drop the list in this thread.
It is an interesting problem. The fact that AVG gets totally disabled such that I can not even uninstall it (requiring a format to correct the problem) suggests it could be AVG bugs or it could be a virus disabling AVG and thus a download.com problem. A mystery yet to be to solved at this point.
John.
Thanks for the definition. It is interesting and good to know a bit about how these programs work. I was reading a bit about root-kits in the AVG help. I tend to go out to google for gathering information. Lots of ways to pick up info these days.
I just created a to-do for this weekend to create a list of anti-virus related forums. I had not even thought to look to see if AVG has a forum but that is a good idea. I did notice last night that the site above where I found the two reviews (anti-virus software and root-kit software) has a forum. That may be an excellent site to get to know since the person who actually did the comparison of the different software is likely to be on that forum and he is likely to be really up on this topic along with a lot of other people. When I create the list of forums I will check the post counts and maybe drop the list in this thread.
It is an interesting problem. The fact that AVG gets totally disabled such that I can not even uninstall it (requiring a format to correct the problem) suggests it could be AVG bugs or it could be a virus disabling AVG and thus a download.com problem. A mystery yet to be to solved at this point.
John.
Re: Any good forums to ask about root kits.
Stan, Judging by the amount of times you've reformatted your drive in an attempt to resolve this problem, I presume you have a backup that you know to be 'clean' and root-kit/virus free from which to restore.
Removing root-kits can be a frustrating task but if you have a clean backup, then there is no need to hunt down and delete the root-kit - which can take ten times longer than a restore. The problem appears to be that your root kit(s) remain after reformatting.
When you reformat a hard drive it doesn't erase the data on the hard drive - only the address tables. Get a Data Dump program and completely wipe/zero-fill the drive first before formatting and restoring from your back-up.
If it's still there after the restore, then your back-up is corrupt too.
As mentioned by others, it won't be in your BIOS.
Removing root-kits can be a frustrating task but if you have a clean backup, then there is no need to hunt down and delete the root-kit - which can take ten times longer than a restore. The problem appears to be that your root kit(s) remain after reformatting.
When you reformat a hard drive it doesn't erase the data on the hard drive - only the address tables. Get a Data Dump program and completely wipe/zero-fill the drive first before formatting and restoring from your back-up.
If it's still there after the restore, then your back-up is corrupt too.
As mentioned by others, it won't be in your BIOS.
Re: Any good forums to ask about root kits.
Hi marmun,
Thanks for your response.
The current new anti-virus software and the special root-kit software run clean (no root kit or other problems reported). The other machines are clean according to the prior version of AVG (it is 2012 AVG that seems to likely have a few problems). The new software has a higher find rating than AVG according to the tests they did. Apparently AVG has slipped lately. Having said all that, this weekend I have to take a closer look at the new software and make sure it is doing a thorough search.
I am not sure how this fits in with your "Data Dump program" suggestion, but I remove the partition, create the partition then install XP which includes a format. I seem to remember years ago having a program that wrote all zeros (early PC days). I have not seen anything like it in a while. I guess a google search will find them. On the D drive (a completely different disk) there is the slow format and the quick format. Maybe I have been thinking wrong, but I have always assumed that the slow format which really is very slow was clearing the data where as the fast format does what you have suggested. Maybe you can clarify the difference.
I am getting use to the new program slowly. It has most of the AVG features but I have trouble finding them yet, LOL.
John
Thanks for your response.
The current new anti-virus software and the special root-kit software run clean (no root kit or other problems reported). The other machines are clean according to the prior version of AVG (it is 2012 AVG that seems to likely have a few problems). The new software has a higher find rating than AVG according to the tests they did. Apparently AVG has slipped lately. Having said all that, this weekend I have to take a closer look at the new software and make sure it is doing a thorough search.
I am not sure how this fits in with your "Data Dump program" suggestion, but I remove the partition, create the partition then install XP which includes a format. I seem to remember years ago having a program that wrote all zeros (early PC days). I have not seen anything like it in a while. I guess a google search will find them. On the D drive (a completely different disk) there is the slow format and the quick format. Maybe I have been thinking wrong, but I have always assumed that the slow format which really is very slow was clearing the data where as the fast format does what you have suggested. Maybe you can clarify the difference.
I am getting use to the new program slowly. It has most of the AVG features but I have trouble finding them yet, LOL.
John
Re: Any good forums to ask about root kits.
Anti-vrus programs only provide limited protection. Once you've let the malware in, AV programs are almost useless as the malware authors 'code' round them. When that happens, you need to run anti-malware software like MalwareBytes, SuperAntiSpyware, SpyBot Search & Destroy etc. to get rid of the nasties. Root-kits add another dimension and there is specialist software to hunt those down. However, as I mentioned before, it is easier and quicker to restore from a backup - but it's best to 'wipe' (NOT just 'reformat') the drive first - especially when infected with a root-kit.The current new anti-virus software and the special root-kit software run clean (no root kit or other problems reported). The other machines are clean according to the prior version of AVG (it is 2012 AVG that seems to likely have a few problems). The new software has a higher find rating than AVG according to the tests they did. Apparently AVG has slipped lately. Having said all that, this weekend I have to take a closer look at the new software and make sure it is doing a thorough search.
Data Dump programs usually zero-fill the drive. So, for the purposes of this discussion 'Data Dump software' and 'Zero-fill software' are synonymous. Data Dump programs 'wipe' the data from drives rather than just delete it. Formatting does not 'wipe' or overwrite data from a drive. It only deletes the address tables. There are many such programs freely available. I see someone has already provided a link to Seagate's DiscWizard which does the job. Note: I don't know about that version of DiscWizard but previous versions of DiscWizard only zero-filled Seagate drives. If so, http://www.diskwipe.org/ is another freeware solution that works on any drive.I am not sure how this fits in with your "Data Dump program" suggestion, but I remove the partition, create the partition then install XP which includes a format. I seem to remember years ago having a program that wrote all zeros (early PC days). I have not seen anything like it in a while. I guess a google search will find them.
The difference between Quick and Full formatting is that a Full Format checks the entire disk for disk errors, bad sectors etc. whereas a Quick format bypassess all error checking. However, even a Full Format does not 'wipe' the data on a drive.On the D drive (a completely different disk) there is the slow format and the quick format. Maybe I have been thinking wrong, but I have always assumed that the slow format which really is very slow was clearing the data where as the fast format does what you have suggested. Maybe you can clarify the difference.
Re: Any good forums to ask about root kits.
Thanks marmun,
You have been very helpful.
So from what you are saying I have to do this:
1/ format again and install AVG from a fresh download for a fresh test to see if it says there is a root kit on this test machine.
2/ format once again but this time zero fill and again download AVG and test to see if it says there is a root kit on this test machine.
If AVG says no then says no, I can conclude they have fixed AVG.
If AVG says yes then says no, I can conclude that AVG is reporting correctly.
If AVG says yes then says yes, I can conclude that AVG is reporting incorrectly (or a root kit is coming down with the download).
Last but not to be forgotten, if AVG says no then says yes, well AVG is just off the wall
You have been very helpful.
With this machine there actually is no data to restore. It is a test machine. So doing what you suggest is no problem.However, as I mentioned before, it is easier and quicker to restore from a backup - but it's best to 'wipe' (NOT just 'reformat') the drive first - especially when infected with a root-kit.
So from what you are saying I have to do this:
1/ format again and install AVG from a fresh download for a fresh test to see if it says there is a root kit on this test machine.
2/ format once again but this time zero fill and again download AVG and test to see if it says there is a root kit on this test machine.
If AVG says no then says no, I can conclude they have fixed AVG.
If AVG says yes then says no, I can conclude that AVG is reporting correctly.
If AVG says yes then says yes, I can conclude that AVG is reporting incorrectly (or a root kit is coming down with the download).
Last but not to be forgotten, if AVG says no then says yes, well AVG is just off the wall
Re: Any good forums to ask about root kits.
If you think you might still have a root-kit on your machine, then you only have to do option '2'.So from what you are saying I have to do this:
1/ format again and install AVG from a fresh download for a fresh test to see if it says there is a root kit on this test machine.
2/ format once again but this time zero fill and again download AVG and test to see if it says there is a root kit on this test machine.
As I mentioned before, Anti-virus software isn't all we'd like it to be. It flags many false-positives and also misses malware which has been coded to block detection by AV software. Root-kits in particular can be very stubborn. AV software is getting better but the malware authors are getting more devious in response. It's a constant battle.
Having said that..........
If you do your option '2' above, then there won't be any reason to do '1'. Also, '2' will not leave anything on the drive except zeros - So it isn't possible to still have a root-kit on the drive afterwards. The only way you could still have a root-kit is if you were restoring from a back-up that was also infected. As you won't be restoring, this potential problem won't apply in your case.
Not necessarily. There is no AV software that catches everything and most miss a lot.If AVG says no then says no, I can conclude they have fixed AVG.
Again, not necessarily. All AV software also suffer from reporting false-positives.If AVG says yes then says no, I can conclude that AVG is reporting correctly.
If you're downloading AVG from their website, I'd say it is virtually impossible that it would be infected. If AVG still says yes after a zero-fill, then I'd dump AVG and start using AVAST .If AVG says yes then says yes, I can conclude that AVG is reporting incorrectly (or a root kit is coming down with the download).
Make life easy on yourself and just go with Option '2' . Option '1' serves no useful purpose.Last but not to be forgotten, if AVG says no then says yes, well AVG is just off the wall
Re: Any good forums to ask about root kits.
Well I was able to use diskwipe to zero fill the D drive. However when I put XP on the D drive and then try to zero fill the C drive (even though I had windows during the install remove the C partition, put it back on as raw and format the C drive successfully). What happens after having done this is every time I try and use DiskWipe to format the C drive it tells me the disk drive is in use. If I do a full format it gives the error at the very end.
I am wondering if at this point one should start using all external drives so they can be swapped very easily from C to D and back again. In other words swap them such that the operating system is always on the C drive and the zero fill is always the D drive. So once one drive is processed this way swap them and put the operating system on the other drive (again as C) and zero fill the other drive. It is far too much work to open the machine every time one has to do this.
Anyway, I am running AVG on the D drive only scanning everything to see if it is clean since at least I have a zero fill there to test AVG with.
!!!!!!!Great, AVG reported the same errors on the zero filled drive. So it seems the problem is with AVG. That would make a lot of sense considering that both of the other program runs (TDSSKiller and AVAST) reported no problems.
I am wondering if at this point one should start using all external drives so they can be swapped very easily from C to D and back again. In other words swap them such that the operating system is always on the C drive and the zero fill is always the D drive. So once one drive is processed this way swap them and put the operating system on the other drive (again as C) and zero fill the other drive. It is far too much work to open the machine every time one has to do this.
Anyway, I am running AVG on the D drive only scanning everything to see if it is clean since at least I have a zero fill there to test AVG with.
!!!!!!!Great, AVG reported the same errors on the zero filled drive. So it seems the problem is with AVG. That would make a lot of sense considering that both of the other program runs (TDSSKiller and AVAST) reported no problems.
Last edited by bowlesj3 on 22 Oct 2011, edited 2 times in total.
Re: Any good forums to ask about root kits.
I'm not sure I understand what you've written above but if you're receiving 'disk drive is in use' message then it sounds like you're trying to zero-fill the drive from which your OS is currently running. From what you've written it's hard to tell whether you're using two separate disk drives or one drive which is partitioned into C: & D:Well I was able to use diskwipe to zero fill the D drive. However when I put XP on the D drive and then try to zero fill the C drive (even though I had windows during the install remove the C partition, put it back on as raw and format the C drive successfully). What happens after having done this is every time I try and use DiskWipe to format the C drive it tells me the disk drive is in use. If I do a full format it gives the error at the very end.
I am wondering if at this point one should start using all external drives so they can be swapped very easily from C to D and back again. In other words swap them such that the operating system is always on the C drive and the zero fill is always the D drive. So once one drive is processed this way swap them and put the operating system on the other drive (again as C) and zero fill the other drive. It is far too much work to open the machine every time one has to do this.
You might be better off creating a bootable CD with a zero-fill utility like http://www.terabyteunlimited.com/copywipe.php#download and boot into that instead of trying to do it through windows.
Re: Any good forums to ask about root kits.
Hi marmun,
Actually it is a separate physical C and D drive. The operating system is on D and was zero filled (see my update above the came in just a split second before your post).
I am happy with the results since the problem appears to be AVG version 2012. However I will check into your latest suggestion. For sure that is the way to go and I want to be able to do it quickly in the future so now is the time to learn it. The last time I created a boot disk was a dos diskette, LOL. I have gotten spoiled .
It has been a long day (over 12 hours doing this stuff and other work on the other machine along side). Time to call it a night.
Have a great weekend marmun.
John
Actually it is a separate physical C and D drive. The operating system is on D and was zero filled (see my update above the came in just a split second before your post).
I am happy with the results since the problem appears to be AVG version 2012. However I will check into your latest suggestion. For sure that is the way to go and I want to be able to do it quickly in the future so now is the time to learn it. The last time I created a boot disk was a dos diskette, LOL. I have gotten spoiled .
It has been a long day (over 12 hours doing this stuff and other work on the other machine along side). Time to call it a night.
Have a great weekend marmun.
John
Re: Any good forums to ask about root kits.
This utility worked. CopyWipe was able to run directly from the D drive where I had windows and zero fill the C drive even after I removed the partition (there was no need to create a boot CD). It said the operation completed normally. So I assume both have been zeroed now. I am resetting everything back to normal (C has windows and D is for backing up my other machine's data).
I never did create a boot CD for this process. I did put a prebuilder.iso file on a regular CD and tried booting from that. It did not seem to work. I guess those are the install files and I think I had more steps to do for the actual boot. I cut it short by trying what I describe in the 1st procedure and since it worked I stopped there. Maybe next weekend I will see if I can figure out how to complete the boot CD approach and if I can I will wipe the D drive for a test.
Thanks again marmun. At least I know for sure it is an AVG 2012 problem.
John.
I never did create a boot CD for this process. I did put a prebuilder.iso file on a regular CD and tried booting from that. It did not seem to work. I guess those are the install files and I think I had more steps to do for the actual boot. I cut it short by trying what I describe in the 1st procedure and since it worked I stopped there. Maybe next weekend I will see if I can figure out how to complete the boot CD approach and if I can I will wipe the D drive for a test.
Thanks again marmun. At least I know for sure it is an AVG 2012 problem.
John.
Re: Any good forums to ask about root kits.
Getting directly back to the original topic of this thread, at one point I said that I would create a list of anti-virus related forums. Here is my followup.
Gizmo's is a tech support site. This site has the Anti-Virus review. They have a Freeware Forum.
http://www.techsupportalert.com/freeware-forum/
The Kaspersky Lab (for root kits) has a forum
http://forum.kaspersky.com/
The AVG anti-virus software site has a forum
http://forums.avg.com/ca-en/avg-forums
The Avast anti-virus software site has a forum
http://forum.avast.com/
The IT security side has a FAQ setup.
http://security.stackexchange.com/questions
http://superuser.com/ has a questions and answers section.
Last but not least, A google search "anti virus software forums" pulled up some interesting forums. Here are some.
Wilder's Security forums
http://www.wilderssecurity.com/forumdisplay.php?f=32
http://forums.devshed.com/antivirus-protection-117/
Gizmo's is a tech support site. This site has the Anti-Virus review. They have a Freeware Forum.
http://www.techsupportalert.com/freeware-forum/
The Kaspersky Lab (for root kits) has a forum
http://forum.kaspersky.com/
The AVG anti-virus software site has a forum
http://forums.avg.com/ca-en/avg-forums
The Avast anti-virus software site has a forum
http://forum.avast.com/
The IT security side has a FAQ setup.
http://security.stackexchange.com/questions
http://superuser.com/ has a questions and answers section.
Last but not least, A google search "anti virus software forums" pulled up some interesting forums. Here are some.
Wilder's Security forums
http://www.wilderssecurity.com/forumdisplay.php?f=32
http://forums.devshed.com/antivirus-protection-117/